Back to skill

Security audit

tax-tcm-clinic

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a cloud-backed tax assistant, but it also includes under-disclosed credential persistence, raw query logging, third-party search fallback, automatic skill-install claims, and remote Git/admin controls.

Review before installing. Use it only if you are comfortable with a third-party cloud tax service receiving queries, local ~/.workbuddy files storing service credentials and question logs, and the package containing remote admin/Git controls. Do not paste personal identifiers, bank details, full tax numbers, patient data, or confidential ledgers unless the publisher provides clearer data-handling and retention terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises significant capabilities such as file writing, MCP, and network use while declaring no permissions, which breaks the trust boundary users and platforms rely on for informed consent. If those capabilities are available at runtime, the skill could write files, communicate externally, or orchestrate additional tools without explicit disclosure or review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a severe description-behavior mismatch: the skill presents itself as a tax-compliance assistant, but the detected behavior includes remote registration, credential persistence, external query transmission, scraping, logging, feedback queueing, updates, and administrative Git operations. Such hidden functionality can expose sensitive financial and medical-adjacent user scenarios, create persistence on disk, and expand the attack surface far beyond what a user would reasonably expect from the description.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document makes a concrete privacy assurance that no device or personal data is collected, yet elsewhere describes cloud calls, auto-updates, and auto-download behavior without corresponding implementation evidence. False or unverifiable privacy claims are dangerous because they can induce users to share sensitive business, tax, or patient-adjacent data under mistaken assumptions about where that data goes.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill advertises tax-compliance assistance, but it also exposes remote Git administration endpoints such as init, backup, diff, log, and rollback. That capability is materially outside the stated purpose and expands the attack surface into repository/state manipulation; in an agent setting, hidden maintenance functions can be abused to alter knowledge bases, destroy history, or trigger unintended backend actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The client silently auto-registers with a remote service and persists credentials plus identifiers locally, despite the skill description not disclosing this behavior. Undisclosed credential enrollment and persistence create privacy, consent, and trust-boundary issues, especially in a domain likely to handle sensitive tax and medical-adjacent business queries.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Remote Git control is context-inappropriate for a medical tax-compliance assistant and introduces privileged operations unrelated to answering tax questions. In this context, the mismatch makes the behavior more dangerous because users and orchestration layers may grant trust based on the tax-assistant label while the code can invoke state-changing backend maintenance actions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The fallback mode performs direct scraping of public search engines using crafted headers and HTML parsing, but this network behavior is not apparent from the declared skill purpose. Undisclosed outbound requests can leak user queries to third parties, produce inconsistent or manipulated results, and create compliance issues in a tax/medical-adjacent environment where users may expect controlled knowledge sources.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad installation trigger phrases can collide with ordinary user language and cause unintended activation or installation flows. In a skill that also claims network and auto-install behavior, ambiguous triggers increase the chance of silent side effects such as downloading additional components or sending data externally without clear user intent.

Vague Triggers

Medium
Confidence
76% confidence
Finding
Telling users they can ask naturally 'without any special commands' makes invocation boundaries unclear, which can blur the line between passive Q&A and active operations. When combined with auto-installation and external-service behavior, unclear activation raises the risk of users unknowingly triggering networked or state-changing actions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Automatic domain recognition and installation of related skills without clear constraints creates an unsafe delegation and supply-chain risk. A user asking a normal tax question could trigger installation of additional packages or cross-skill actions, expanding permissions, network access, and data sharing beyond the original request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic registration sends a persistent device identifier to a remote service without clear user-facing notice at the points where registration is triggered. Even though the identifier is randomly generated rather than a hardware fingerprint, it still enables cross-session correlation and silent telemetry about installation/use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Questions and risk scenarios are written to local log files without user-facing disclosure. Because this skill operates in tax and medical-institution contexts, those inputs may contain sensitive financial, compliance, employment, or health-adjacent operational details that could be exposed to other local users, backups, or endpoint monitoring tools.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Feedback submission stores questions and expected answers in a local queue file without clear disclosure. This can persist sensitive business or compliance narratives beyond the active session and may expose proprietary or personal information if the host is shared, compromised, or routinely backed up.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.