元典法条与案例检索

Security checks across malware telemetry and agentic risk

Overview

This legal research skill appears legitimate, but it needs review because it recommends disabling safeguards and includes an unsigned self-update command that can replace skill files.

Install only if you are comfortable sending legal queries, case facts, and company due-diligence text to the Yuandian/Open Chinese Law service and storing results locally. Keep normal sandbox and approval protections enabled, protect scripts/.env, use --no-cwd-report or --no-report for sensitive matters, and avoid do-update unless you have independently verified the upstream GitHub source and changes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (26)

Tainted flow: 'md_content' from pathlib.Path.read_text (line 2016, file read) → pathlib.Path.write_text (file write)

Medium

Category: Data Flow
Content: if args.output: output_path = Path(args.output) output_path.parent.mkdir(parents=True, exist_ok=True) output_path.write_text(md_content, "utf-8") else: cwd_copy = cwd / report_filename cwd_copy.write_text(md_content, "utf-8")
Confidence: 82% confidence
Finding: output_path.write_text(md_content, "utf-8")

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented self-update mechanism expands the skill’s trust boundary from a local legal-search tool to code and document replacement from a remote source. Even though the README describes limits such as preserving .env and archive/, downloading executable skill files from GitHub without strong integrity verification creates a supply-chain risk: a compromised repository, manifest, or transport path could cause malicious updates to be installed.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The description frames the skill as legal and case retrieval, but the skill also supports enterprise investigation and corporate risk profiling. That broader surveillance-style capability changes the sensitivity of the data being queried and returned, and users may invoke it without appreciating the additional privacy and compliance implications.

Description-Behavior Mismatch

Low

Confidence: 93% confidence
Finding: The description frames the skill as legal and case retrieval, but the skill also supports enterprise investigation and corporate risk profiling. That broader surveillance-style capability changes the sensitivity of the data being queried and returned, and users may invoke it without appreciating the additional privacy and compliance implications.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Remote self-update is outside the core legal-retrieval purpose and introduces a supply-chain risk. A feature that downloads and replaces local skill files can be abused if the update source, transport, or integrity checks are weak, leading to arbitrary behavior changes after initial trust has been granted.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document states the skill's value has shifted toward archive/report generation, while the manifest still advertises a retrieval skill. This inconsistency increases the risk that users authorize the skill under an outdated mental model and do not expect substantial local data processing and persistence.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest advertises platform categories that extend beyond the skill's declared purpose of legal-statute and case retrieval, including broad enterprise-information capabilities. This scope expansion can enable unnecessary access to corporate profiling and litigation-adjacent data, increasing the chance of overcollection or misuse relative to user expectations.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The manifest includes a large set of enterprise-information endpoints unrelated to simple law/article and case retrieval, such as company details, litigation lists, punishments, tax records, and other profiling data. In a legal-search skill, this creates a material data-minimization and scope-creep issue because an agent could access sensitive business intelligence without clear user need or transparent disclosure.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The workflow states that every real retrieval may automatically write a structured Markdown report to both an internal archive path and the current working directory. That creates an undeclared filesystem side effect and can leak sensitive legal queries, case facts, or retrieved results into arbitrary local directories where other tools, users, or automation may access them.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The instructions explicitly direct the agent to write a consolidated report into a user-specified target directory, which expands the skill from legal retrieval into filesystem write operations in user workspace locations. That broader capability increases the blast radius of prompt injection or agent mistakes, because a retrieval-oriented skill can now create or overwrite artifacts outside its internal working area.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The file implements a generic self-updater that fetches remote content from GitHub and is capable of replacing local skill files. For a legal search skill, this creates an unnecessary remote code/content modification channel that broadens the trust boundary and could let a compromised repository, poisoned manifest, or malicious update alter the skill after deployment.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: cmd_do_update downloads a remote MANIFEST and then iterates over remotely supplied file paths, writing downloaded content into the local skill directory. That gives the remote source direct influence over the skill's code and assets, so a compromised upstream or unauthorized repository change can persistently modify behavior, including executable scripts.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The comment claims updates will not touch .env or archive, but the implementation only checks that paths stay under skill_root and does not block writes into archive or other sensitive subpaths. A remote manifest can therefore overwrite archive contents and potentially other operational files, creating integrity and audit-trail risks even if it cannot escape the root directory.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill manifest describes law/article/case retrieval, but the code also exposes broad enterprise intelligence queries. This capability expansion increases data exposure and may surprise operators or agents that would not have granted the skill access had the true scope been disclosed.

Description-Behavior Mismatch

Medium

Confidence: 85% confidence
Finding: The skill includes hallucination-detection functionality that is not reflected in the manifest. Hidden or undocumented capabilities reduce operator visibility and can cause unexpected transmission and persistence of sensitive legal analysis text.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: A legal search skill also includes self-update commands that fetch and apply code changes unrelated to its core retrieval purpose. In an agent setting, this materially increases risk because a data-retrieval tool becomes capable of modifying its own codebase, expanding the blast radius of prompt or tool misuse.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The enterprise/corporate intelligence features access datasets that go beyond the stated legal-regulation-and-case retrieval purpose. In context, that makes accidental collection, storage, and disclosure of broader business intelligence more likely and weakens scope control for agent users.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Exposing self-update/download capability through normal CLI parsing is context-inappropriate for a legal search tool and creates a code-modification path. The danger is amplified in agent environments because tool invocation can be triggered indirectly, potentially resulting in unreviewed code changes or supply-chain compromise.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill says all retrieval results are automatically archived locally, but it does not present that as a prominent privacy/safety warning despite the likelihood of sensitive legal research, case strategy, or corporate due-diligence data. Silent persistence increases the chance of unintended disclosure through shared workspaces, backups, or later reuse.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill instructs operators to run Codex with `--sandbox danger-full-access --ask-for-approval never`, effectively disabling meaningful containment and approval checks. In that mode, the documented file, env, and network capabilities become much more dangerous because the skill can act without user intervention and with broad host access.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill copies per-call reports into the user's current working directory, creating persistent files outside the dedicated archive location without a prominent warning. This can leak sensitive matter details into project folders, sync tools, source-control repositories, or other downstream locations the user did not intend to expose.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly allows automatic keyword expansion and multi-stage retrieval, and under some strategies it may proceed to a second search that consumes additional points without a uniform upfront confirmation. In a metered legal research workflow, this can cause unexpected resource usage, especially because the aggressive strategy says not to limit coverage and the balanced strategy only warns before the second stage rather than before the overall expanded workflow begins.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document describes automatic report-copy creation in the current working directory without requiring explicit user notice or consent at the time of the write. In legal workflows, those reports may contain sensitive matter names, factual summaries, keywords, and source references, so silent persistence increases confidentiality and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The workflow explicitly instructs the agent/user to pipe MCP/API JSON responses into `yd-run ingest`, which writes archive files and working-copy Markdown to disk, including company and legal search data. Without warnings, redaction guidance, retention controls, or access restrictions, this can persist sensitive matter details, case strategy, client information, or company data in local files where they may be exposed to other users, backups, logs, or source control.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: User legal queries, case facts, and analysis text are transmitted to a third-party remote API, but the call sites do not surface a clear privacy warning or consent step. In a legal-research context this is more sensitive than usual because the text may contain confidential client facts, strategy, or personally identifiable information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal