Back to skill

Security audit

Tax Pet Chain 宠物连锁行业财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly a pet-industry tax assistant, but it also advertises automatic skill installation and includes broad remote/admin and local data-persistence behavior that users should review before installing.

Install only if you are comfortable with cloud tax-service calls, public-search fallback, local storage under ~/.workbuddy, and the advertised ability to install related skills. Avoid entering sensitive identifiers, bank/card data, full tax numbers, or raw accounting records unless the publisher adds clearer data-handling and retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The skill is presented as a narrow pet-industry tax compliance assistant, but the documented behavior includes broad operational capabilities such as remote service communication, API key registration, local/online search, feedback telemetry, knowledge base updates, and even Git/version-management actions. This mismatch prevents informed consent and can conceal materially more powerful behavior than a user would reasonably expect from a topical advisory skill.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The privacy section states that no device information, hostname, or personal data is collected, yet the same document describes automatic domain recognition, remote service use, and automatic installation into a local skills directory. Even if the statement is not intentionally deceptive, it creates a misleading privacy assurance because these capabilities may require transmitting contextual or environmental data to function.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
A single-topic pet tax advisory skill claims the ability to automatically install an entire related skill matrix, expanding its effective scope beyond the user-visible purpose. This is dangerous because it normalizes privilege expansion and code acquisition under the guise of expert guidance, increasing the attack surface without clear necessity.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Automatically downloading and installing other skills into the local directory is a software distribution capability, not a normal requirement for answering tax questions. If abused or compromised, this could introduce arbitrary new code/prompts, persistence, and broader permissions into the user's environment via social engineering-friendly commands.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The client implements a broad local web-search fallback using public search engines rather than restricting retrieval to the declared pet-tax knowledge base. This expands the skill’s effective capability and data flow beyond its stated purpose, increasing the risk of unreviewed external content influencing answers and of user queries being sent to third-party search providers.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file exposes remote Git administration actions such as init, backup, diff, log, and rollback, which are operational capabilities unrelated to a pet tax-compliance assistant. If these functions are reachable by the skill runtime, the skill can trigger sensitive server-side repository operations and potentially alter, inspect, or revert remote knowledge-base content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The client exposes administrative actions for auto-updating the knowledge base and batch-evaluating feedback, which go beyond the assistant’s stated end-user purpose. These capabilities can let a skill invocation influence backend content-management workflows, creating an avenue for unintended updates, abuse of maintenance operations, or contamination of downstream knowledge processes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is presented as an offline fallback tool, but it still performs HTTP requests to a local MCP service for health checks and tool calls. This can mislead downstream agents or users into assuming no network dependency exists, and if a local service on 127.0.0.1:9097 is malicious, compromised, or unexpectedly exposed, the tool may disclose request data or trust unverified responses.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The trigger list includes broad phrases such as installation-oriented commands that may cause the skill to activate outside a narrowly scoped pet-tax consultation. Overbroad invocation language increases the chance of unintentional activation of higher-risk behaviors, especially when those behaviors include downloading additional skills.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The document says it will automatically recognize business domains and guide or switch behavior without defining clear activation boundaries. Ambiguous auto-routing can cause users to invoke capabilities they did not intend, including remote lookups or recommendations that escalate into installation actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises simple commands like 'install complete tax skill matrix' and 'install related tax skills' without a prominent warning that these commands will download and install additional software-like components. This undermines informed consent and creates a straightforward social-engineering path to expand functionality and persistence on the local system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Registration and remote tool calls transmit user identifiers and natural-language query/scenario content to a third-party service without any evident user-facing notice or consent mechanism in this file. Because tax and compliance questions can contain sensitive commercial or personal information, silent transmission creates a material privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Feedback submission stores the user’s question and expected answer in a local JSONL queue file, in plain language and without any visible notice or minimization. These fields may contain sensitive tax, medical, business, or personal details, creating a local data-exposure path for other local users, backups, or compromised processes.

Ssd 3

Medium
Confidence
97% confidence
Finding
The client persistently logs and queues user-supplied questions, scenarios, and expected answers in plain text across local log and cache files. This creates a durable natural-language data leakage surface for potentially sensitive tax, business, medical, or personal information, especially on shared systems or in environments with weak endpoint security.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.