Back to skill

Security audit

Tax Renewable Resources 再生资源行业财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a tax-compliance assistant, but it includes under-disclosed network, logging, credential, and backend administration capabilities that users should review before installing.

Install only if you are comfortable with a cloud-backed tax assistant that stores local credentials, device identifiers, logs, and feedback queues under ~/.workbuddy, and may send tax questions to its remote service or public search engines during fallback. Avoid entering raw invoices, full tax IDs, personal identifiers, bank details, or confidential business records. Review or disable any backend admin/Git/update functions before allowing broad tool access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as a narrow renewable-resources tax-compliance assistant, but the behavior summary indicates much broader capabilities: web search, generic tax Q&A/calculation, feedback/statistics, knowledge-base updates, Git/version-control actions, and offline workflow tooling. This mismatch can mislead users and reviewers about the true attack surface, causing them to grant trust or permissions inappropriate for the actual functionality.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill advertises itself as a focused renewable-resources compliance tool, yet it encourages one-command installation of a wider tax-skill matrix. That creates a supply-chain expansion risk: a user invoking a narrowly scoped skill may unknowingly authorize acquisition of many additional components with broader behavior and permissions.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The document says the skill is 'not cross-domain,' but elsewhere it states it will detect unrelated domains and recommend or trigger installation of other specialty skills. This contradiction weakens informed consent and can obscure how far the skill's behavior extends beyond its stated boundary.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The privacy statement says no device or host information is collected, but the skill declares filesystem access and describes automatic download/install behavior into the user's skill directory. Even if host identifiers are not intentionally collected, local file access and installation operations materially affect the host environment and make the privacy/safety statement incomplete or misleading.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This client exposes feedback administration, update-log access, and Git-control operations that are materially broader than a tax-policy advisory assistant’s declared purpose. Even if these are intended as maintenance features, bundling remote administrative capabilities into an end-user skill increases attack surface and enables misuse of the skill as a control plane for backend content or repository state.

Context-Inappropriate Capability

Critical
Confidence
98% confidence
Finding
The code exposes remote Git initialization, backup, log retrieval, diff, and rollback functions through a tax assistant client, which is unrelated to the declared function of answering tax-policy questions. If these endpoints are reachable with the same client context, an attacker or prompt-injected workflow could manipulate backend repository state, inspect changes, or trigger destructive rollbacks.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Automatic registration and persistent storage of API credentials/device identifiers expand the skill’s behavior beyond simple tax assistance and create a privacy and security concern if local files are exposed or if registration is performed without informed consent. While likely intended to streamline onboarding, persistent identifiers and credentials can be abused for tracking, unauthorized reuse, or account linkage.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The fallback mode performs live web searches against public search engines, a capability not reflected in the stated manifest scope. This creates undisclosed outbound data transfer of user questions and can return untrusted, potentially manipulated content into a tax-compliance workflow where accuracy and confidentiality matter.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes automatic installation of additional skills into the user's local skill directory without a prominent upfront warning that local files will be modified. Silent or weakly disclosed installation behavior is dangerous because it changes the local environment and can introduce new code, permissions, or data flows beyond what the user expected from the original skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automatically registers with a remote service and transmits a persistent device identifier without any visible user warning or consent path in this code. In a financial/tax context, silent identifier transmission increases privacy risk and may surprise users who expect a local advisory assistant rather than a networked tracking client.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User questions and scenarios are written to local log files without any visible notice, despite likely containing sensitive tax, invoice, compliance, or business data. Plain local persistence increases the risk of later disclosure to other local users, malware, backups, or support processes.

Ssd 3

Medium
Confidence
96% confidence
Finding
The client persistently stores user questions, scenarios, expected answers, and feedback queue entries in plain language for later submission and diagnostics. In a tax/compliance assistant, these records may contain sensitive financial, operational, or potentially incriminating compliance details, so persistent cleartext storage materially raises confidentiality risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.