Back to skill

Security audit

Legal Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only legal assistant skill whose contract review, approval drafting, ledger, and reminder behavior is disclosed and aligned with its stated purpose.

Before installing, confirm that any real contract ledger write, reminder creation, archive update, or Feishu/system action shows a preview and requires an authorized human approval. Treat generated legal analysis as a draft for review, and configure permissions, audit logs, and data masking before connecting it to real contracts or business systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes automatically extracting contract data into a ledger and generating expiry, renewal, and milestone reminder tasks, but it does not clearly require explicit user confirmation immediately before modifying records or creating tasks. In a legal workflow, those actions can alter authoritative business records and trigger downstream processes based on potentially incorrect or hallucinated extraction results, creating operational and compliance risk.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.