Back to skill

Security audit

法律数据库检索助手

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed legal-search assistant that writes local HTML reports and uses user-configured legal database connectors, with no evidence of hidden or malicious behavior.

Before installing, confirm you trust the third-party legal data providers and protect any API keys or access tokens you place in MCP configuration. Treat generated HTML reports as potentially sensitive client or matter records and store or delete them according to your confidentiality requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
81% confidence
Finding
The skill instructs generating an HTML report file locally without explicitly warning the user that a file will be created. While lower severity, silent file creation can surprise users, clutter the filesystem, or create privacy/security issues if sensitive legal matter details are written to disk in predictable locations.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.