Back to skill

Security audit

Tax Restructuring 重组资本运作财税风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

This tax advisory skill has a coherent core purpose, but it also describes automatic installation of other skills and includes underdisclosed search, feedback, and administrative endpoints.

Review this skill before installing in a confidential or enterprise tax workflow. Its core cloud tax-advice function is plausible, but avoid using automatic matrix installation unless you trust the source and can review each added skill, and do not enter sensitive restructuring details unless you accept transmission to the cloud service and possible fallback search exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a narrow tax-restructuring assistant, but the behavior described by analysis includes remote registration, local credential storage, feedback submission, auto-update, remote Git operations, and generic web search. That mismatch is dangerous because users may provide sensitive corporate restructuring and tax data under a narrow-trust assumption while the skill performs broader remote and local actions than advertised.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The privacy statement minimizes local and remote data handling, yet the skill also claims it can download and install other skills into the local skill directory. This is dangerous because it creates a misleading trust boundary: users may believe the skill is passive and privacy-preserving when it can make persistent system changes and potentially expand its own capabilities.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
A specialized tax assistant claiming authority to download and install other skills broadens its effective scope into package management. That is risky because it can be used as a capability-escalation path: a user invoking a tax workflow may unintentionally trigger installation of additional code or prompts with different permissions and trust assumptions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill exposes unrestricted remote and fallback local search for arbitrary tax-policy queries, even though the skill is presented as restructuring-focused. In a security context, this expands the data egress and behavioral surface area beyond user expectations, making it easier to transmit sensitive user queries to external services without scope-based controls.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The module exposes Git administration operations including init, backup, diff, log, and rollback that are unrelated to a tax advisory assistant's stated purpose. If reachable through the skill, these capabilities could alter or reveal repository state and enable unauthorized administrative actions against the backing knowledge base or related content.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The file exposes administrative operations for batch feedback evaluation and knowledge-base update/log management that exceed the advisory function described to users. These controls can affect system state and data processing workflows, increasing the risk of misuse or unintended privilege exposure if the skill can invoke them without strict separation.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Ambiguous wording around automatic business-domain recognition and installation/recommendation can cause users to misunderstand whether merely asking a question will modify their environment. This is dangerous because unclear triggers weaken informed consent and can enable silent expansion of functionality in a sensitive enterprise-tax context.

Missing User Warnings

High
Confidence
96% confidence
Finding
Advertising automatic download and installation of other skills without a prominent safety warning or explicit confirmation is a serious supply-chain and persistence risk. In practice, this could introduce unreviewed code/prompts into the local environment, potentially leading to unauthorized data access, broader permissions use, or execution of malicious downstream skills.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The local search path sends user-provided queries to external search engines (Bing and Baidu) without any evident consent, warning, redaction, or sensitivity filtering. Because questions and risk scenarios may contain confidential tax, corporate restructuring, or bankruptcy details, this creates a real privacy and data-leakage risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.