Trust Assessment
tax-professional received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 3 high, 2 medium, and 0 low severity. Key findings include Skill defines and executes shell commands, Skill requests permission to manage cron jobs, Skill requests permission for external communication via Telegram.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Skill defines and executes shell commands The skill explicitly defines and instructs the execution of `clawdbot cron add` commands, which are shell commands. While the parameters are hardcoded in the provided content, the presence of direct shell execution capability means the skill can run arbitrary commands on the host system. This is a powerful primitive that could be exploited if any part of the command string were to become controllable by untrusted input. Implement strict sandboxing for shell execution. Ensure all parameters passed to shell commands are validated and sanitized, especially if derived from user input. Consider using safer, language-native APIs instead of direct shell calls where possible. | LLM | SKILL.md:240 | |
| HIGH | Skill requests permission to manage cron jobs The skill explicitly instructs the system to add cron jobs using `clawdbot cron add`. This grants the skill the ability to schedule persistent execution of commands on the host system. This is a broad and powerful permission that could be abused to maintain persistence or execute malicious code if the skill were compromised. Restrict the skill's ability to manage system-level cron jobs. If cron-like functionality is required, use a sandboxed, skill-specific scheduling mechanism that does not grant direct system cron access. | LLM | SKILL.md:240 | |
| HIGH | Skill stores sensitive financial data in `YYYY-expenses.json` The skill explicitly instructs to "Log deductible expenses to `data/tax-professional/YYYY-expenses.json`". This file is designed to store highly sensitive financial data, including expense details, amounts, categories, and estimated tax payments. While the purpose is legitimate data storage, the presence of this high-value sensitive data in a file makes it a prime target for exfiltration if the skill's file system access were compromised. Implement strict sandboxing for file system access, limiting write permissions only to explicitly required files and directories. Encrypt sensitive data at rest. Ensure that access to this file is highly restricted and monitored. Consider using a secure, dedicated database for sensitive financial data instead of plain JSON files. | LLM | SKILL.md:100 | |
| MEDIUM | Skill requests permission for external communication via Telegram The skill's cron job definitions include `--channel telegram`, indicating that the skill intends to send messages to an external communication service (Telegram). While the hardcoded messages are not sensitive user data, this establishes an external communication channel. This permission could be leveraged for data exfiltration or command-and-control if the skill were compromised and the message content became controllable by untrusted input. Implement strict controls over external communication channels. Ensure that messages sent to external services are always hardcoded or derived from trusted sources, and that no user-controlled input can influence the message content or destination. Consider whitelisting allowed external endpoints. | LLM | SKILL.md:246 | |
| MEDIUM | Skill reads user context from `USER.md` The skill explicitly instructs to "Read `USER.md` for the user's employment type, location, filing status, and personal context." This grants the skill read access to a file that is likely to contain sensitive personal information. While the stated purpose is legitimate (tailoring advice), this access point could be exploited to exfiltrate sensitive user data if the skill were compromised. Implement strict sandboxing for file system access, limiting read permissions only to explicitly required files and directories. Ensure that sensitive user data is not stored in easily accessible plain text files like `USER.md` if possible, or that access to such files is highly restricted. | LLM | SKILL.md:10 |
Scan History
Embed Code
[](https://skillshield.io/report/f11c0350c2395f7e)
Powered by SkillShield