Back to skill

Security audit

Tax Life Services 生活服务业财税合规专题(医美·黄金珠宝)

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed cloud tax assistant, but it also exposes under-documented remote admin and Git-control functions and advertises broad automatic skill installation.

Install only if you are comfortable with a cloud-backed tax assistant storing a local API key under ~/.workbuddy and sending your tax questions or scenarios to mcp.aitaxs.top. Avoid entering raw personal, bank, tax ID, or confidential account data. Review the automatic related-skill installation behavior carefully, because it can add more skills to the local environment, and the package also contains backend Git/admin functions that are not clearly scoped for normal end users.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill presents itself as a narrowly scoped tax-compliance assistant, but the documented behavior expands into broad tax Q&A, remote MCP communication, auto-registration of external services, updates, feedback collection, and local Git/workflow operations. This scope mismatch is dangerous because users may grant trust and permissions appropriate for a limited advisory skill while the skill can perform materially broader networked and local actions.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest markets a focused industry compliance helper, but the documentation describes a larger cross-domain tax skill matrix with automatic recommendations and expansion into unrelated domains. This can mislead users about the real operational scope and increase the attack surface through unexpected cross-skill interactions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Automatic downloading and installation of other skills modifies the local environment and extends executable capabilities beyond what the user initially selected. That is dangerous because it creates a supply-chain pathway where additional code or prompts can be introduced without granular review at install time.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The privacy statement claims only a random anonymous identifier is used and that no device or host information is collected, yet the skill declares filesystem access and describes auto-install/update behavior. Even if no direct host fingerprinting is intended, those capabilities make the statement materially misleading and can cause users to underestimate local data exposure and environmental access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The client exposes remote knowledge-base administration, update triggers, feedback batch processing, and Git control endpoints that materially exceed the stated purpose of a tax/compliance assistant. If these functions are reachable by the agent/runtime, they expand the attack surface from read-oriented Q&A into state-changing remote operations, enabling unauthorized content changes, rollback, or operational abuse of the backend.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The Git management methods allow initialization, backup, log retrieval, diffing, and rollback against a remote service, none of which are necessary for ordinary tax-policy assistance. In an agent setting, these capabilities can be invoked to alter or inspect backend repository state, potentially causing integrity loss, disclosure of internal change history, or destructive rollback of knowledge assets.

Vague Triggers

Medium
Confidence
74% confidence
Finding
Telling users the skill can be used 'just like chatting' without special commands suggests a very broad activation surface. In a skill that also advertises networked behavior and possible installation workflows, loose triggering increases the chance of accidental invocation and unintended side effects.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Automatic first-use domain recognition without clear non-match behavior or activation limits makes it ambiguous when the skill will act, escalate, or recommend/install additional components. Ambiguity around triggers is risky because users cannot reliably predict when broader behaviors will be activated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic download and installation of additional skills without a strong upfront warning that it will modify the user's local skill directory. Hidden or weakly disclosed local modification is dangerous because it changes the trusted execution environment and can persist beyond the current session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The client auto-registers with an external service and persists/transmits an API key without any explicit user notice or consent flow. Even if the collected identifier is minimized, this still establishes an external account and enables ongoing linkage of usage to a persistent credential, which is a privacy and trust boundary violation in an agent skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The MCP call path sends user questions, scenarios, and API credentials to an external service and, in some cases, injects the API key into request parameters in addition to headers. This is dangerous because sensitive business, tax, or compliance scenarios may be exfiltrated without clear disclosure, and placing credentials in request bodies increases exposure through logging or downstream handling.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.