Back to skill

Security audit

Legal Risk Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent China-focused legal triage assistant with expected handling of user-provided legal facts, and I found no hidden collection, persistence, network use, or destructive behavior.

Before installing, understand that legal documents and dispute facts can contain sensitive information. Use redacted or sample facts where possible, avoid sharing IDs, bank details, addresses, trade secrets, and case numbers unless necessary, and treat outputs as preliminary legal information to be reviewed by a qualified lawyer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The listing encourages users to submit contracts, labor-dispute facts, and draft legal materials, which commonly contain highly sensitive personal, financial, employment, and litigation information, but it does not warn users about privacy, confidentiality, or data-handling risks. In a legal-assistance context, this omission is more dangerous because users may reasonably assume discretion similar to lawyer-client communications and disclose far more sensitive information than they otherwise would.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The release copy invites users to submit real contracts, labor disputes, debt cases, and drafting needs, but it does not clearly warn users against sharing sensitive personal, financial, employment, or case-identifying data. In a legal-assistance context, users are especially likely to provide high-risk confidential information, so the omission can lead to unnecessary exposure of private or regulated data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.