Oathe Security Badge

Is robbalian/claude-tax-filing safe?

https://github.com/robbalian/claude-tax-filing

74
CAUTION

This tax preparation skill appears functionally legitimate but exhibits concerning behavior by accessing sensitive credential files during installation. While no data exfiltration was detected, this unauthorized file access represents a significant security risk.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (3)

CRITICAL Unauthorized Access to Sensitive Credential Files -80

The skill accessed multiple sensitive credential files including .env, SSH private keys, AWS credentials, NPM credentials, Docker credentials, and Google Cloud credentials. While no exfiltration was detected, accessing these files is not justified for a tax preparation tool.

MEDIUM Executable Python Scripts Present -15

The skill contains three Python scripts for PDF manipulation (verify_filled.py, discover_fields.py, fill_forms.py). While these appear legitimate for tax preparation, they represent executable code that could be modified.

LOW Downloads External Content -5

The skill instructs the agent to download PDF forms from external URLs, albeit from legitimate government websites (IRS.gov, FTB.ca.gov).