Back to skill

Security audit

Tax Metallurgy 冶金行业(黑色金属+有色金属+稀贵金属)财税合规风险自查与应对指引

Security checks across malware telemetry and agentic risk

Overview

This metallurgy tax assistant has a coherent core purpose, but it needs Review because it includes under-disclosed local persistence, undeclared web-search fallback, automatic skill-install guidance, and remote admin-style controls.

Review this skill before installing in a business environment. Use only desensitized tax scenarios, assume questions may go to the cloud service and sometimes to public search engines during fallback, and avoid the automatic matrix-install triggers unless you can review exactly what will be installed. Treat ~/.workbuddy as containing sensitive logs and credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is presented as a narrow metallurgy tax-compliance assistant, but the described behavior extends into broad remote-service usage, generic tax computation, web search/fetch fallback, API-key registration/authentication, feedback telemetry, knowledge-base updates, and local Git-style maintenance operations. This mismatch is dangerous because users may consent to a domain-specific advisory skill while actually granting a much broader operational surface that can access network resources, modify local state, and transmit data off-device.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The privacy statement says the skill does not collect device information, yet the manifest also advertises automatic downloading and installation of additional skills into the local skill directory. Even if no classic device fingerprint is collected, this is a materially relevant local-system interaction that can mislead users about what the skill does on their machine and what metadata may be inferred during installation and service calls.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
A metallurgy tax assistant claiming it can download and install an entire matrix of other skills materially expands its trust boundary and attack surface beyond the stated purpose. This is dangerous because a user seeking tax guidance may unknowingly trigger code/content acquisition from remote sources, enabling supply-chain risk, privilege expansion, or installation of unrelated capabilities.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Automatic installation of other skills is not necessary for the core function of answering metallurgy tax-compliance questions, so it introduces unnecessary capability expansion. Unjustified installation behavior increases the chance of supply-chain compromise, unauthorized persistence in the local skill directory, and user confusion about what software is being added.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file exposes broad administrative operations such as update-log access, update stats, feedback batch evaluation, and especially Git lifecycle controls that are far outside a normal end-user metallurgy tax assistant. This expands the skill from a scoped knowledge client into a remote management surface; if these functions are reachable by the agent or an untrusted prompt flow, they could alter, roll back, or inspect backend knowledge assets and operational state.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The client includes direct wrappers for Git initialization, backup, diff, log, and rollback operations, which are highly sensitive repository-control actions unrelated to ordinary tax-compliance assistance. In an agent setting, these become dangerous capabilities because prompt-driven or accidental invocation could change versioned content, reveal internal history, or revert data without a human change-control process.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The client silently falls back to external web search engines, sending user queries to third-party sites not described in the manifest. Even if intended as resilience, this changes the trust boundary and can leak sensitive tax or business questions to external providers, while also introducing uncontrolled content into answers.

Vague Triggers

Medium
Confidence
78% confidence
Finding
Telling users to interact 'just like chatting' without clear activation boundaries makes it easier to trigger unintended actions, especially in a skill that also advertises installation and remote-service behaviors. Broad, ordinary-language triggers increase the risk of accidental invocation, overcollection of sensitive business data, or unintentional execution of privileged flows.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The 'automatic domain recognition and installation' wording is ambiguous and broad, implying that the skill may decide on its own to fetch and install additional components based on conversational context. In a security-sensitive environment, such ambiguity is dangerous because it blurs the line between answering a question and performing software installation or remote retrieval actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages phrases that trigger installation of additional skills but does not prominently warn that these commands will download and install new components. This omission is dangerous because users may believe they are only enabling a knowledge feature when they are actually authorizing software acquisition and local changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Feedback entries containing user questions and expected answers are appended to a local queue file without clear notice, consent, retention controls, or protection measures. This creates a local privacy exposure where sensitive business or tax information may persist on disk and be readable by other local processes or users depending on file permissions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists API keys in a local JSON config under the user's home directory, but does not show any secure storage mechanism or user warning. Local plaintext credential storage increases the risk of token theft by malware, other local users, backups, or accidental disclosure, enabling unauthorized use of the remote service.

Ssd 3

Medium
Confidence
97% confidence
Finding
The client persistently logs user-supplied questions, risk scenarios, expected answers, and related operational details to local JSONL files and feedback queues in plain language. Because this skill handles tax, compliance, and potentially commercially sensitive scenarios, these logs can become a high-value local data leak path through filesystem access, backups, support bundles, or unintended sharing.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.