Back to skill

Security audit

Litigation Hub Sanitized

Security checks across malware telemetry and agentic risk

Overview

This legal-document helper is mostly purpose-aligned, but it can automatically create calendar items, scheduled reminders, emails, cloud OCR uploads, and software installs without consistently requiring clear user confirmation.

Install only if you are comfortable with a legal-workflow skill that can modify local case folders, create calendar entries and scheduled jobs, send QQ email reminders, and upload OCR images to a cloud OCR tool. Prefer running with --no-remind until you have reviewed the reminder plan, and do not use cloud OCR for privileged or highly confidential documents without explicit consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (53)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
    f.write(script)
    f.close()
    result = subprocess.run(['osascript', f.name], capture_output=True, text=True)
    os.remove(f.name)
    if result.returncode != 0:
        print(f"  AppleScript error: {result.stderr}")
Confidence
98% confidence
Finding
result = subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
    f.write(script)
    f.close()
    subprocess.run(['osascript', f.name], capture_output=True, text=True)
    os.remove(f.name)
Confidence
97% confidence
Finding
subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
t = title.replace('"', '\\"')
    m = message.replace('"', '\\"')
    script = f'display notification "{m}" with title "{t}" sound name "{sound}"'
    result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)
    if result.returncode != 0:
        print(f"  ⚠️ 系统通知弹出失败: {result.stderr}")
        return False
Confidence
95% confidence
Finding
result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Write-Output "OK"
'''

    result = subprocess.run(
        ['powershell', '-NoProfile', '-Command', ps_script],
        capture_output=True, text=True, timeout=30
    )
Confidence
98% confidence
Finding
result = subprocess.run( ['powershell', '-NoProfile', '-Command', ps_script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
Write-Output ($toDelete.Count)
'''
    subprocess.run(
        ['powershell', '-NoProfile', '-Command', ps_script],
        capture_output=True, text=True, timeout=30
    )
Confidence
97% confidence
Finding
subprocess.run( ['powershell', '-NoProfile', '-Command', ps_script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'/SD', alarm_dt.strftime('%Y-%m-%d'),
        '/F'
    ]
    subprocess.run(cmd, capture_output=True, text=True, timeout=15)


def _windows_schedule_email_script(uid_hash, label, alarm_dt, python_exe, script_dir, hour, minute):
Confidence
93% confidence
Finding
subprocess.run(cmd, capture_output=True, text=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif PLATFORM == 'windows':
        t = _escape_ps(title); m = _escape_ps(message)
        ps = f'Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show("{m}","{t}")'
        r = subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)
        return r.returncode == 0
    else:
        print(f"  ℹ️ {PLATFORM} 不支持即时弹窗(已生成桌面提醒文件兜底)")
Confidence
97% confidence
Finding
r = subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'  end tell\nend tell')
    f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
    f.write(script); f.close()
    r = subprocess.run(['osascript', f.name], capture_output=True, text=True)
    os.remove(f.name)
    if r.returncode == 0:
        print(f"  📅 Apple Calendar: {summary}")
Confidence
91% confidence
Finding
r = subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tr = f'"{python_exe}" {" ".join(f"{a}" for a in args)}'
    cmd = ['schtasks','/Create','/SC','ONCE','/TN',label,'/TR',tr,
           '/ST','09:00','/SD',alarm_date.strftime('%Y-%m-%d'),'/F']
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
    if r.returncode != 0:
        print(f"  ⚠️ schtasks 失败: {r.stderr}"); return False
    print(f"  ✅ schtasks: {label} → {alarm_date.strftime('%Y-%m-%d')} 09:00")
Confidence
96% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = f'display notification "{m}" with title "{t}"'
        f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
        f.write(script); f.close()
        subprocess.run(['osascript', f.name], capture_output=True)
        os.remove(f.name)
    elif PLATFORM == 'windows':
        t = _escape_ps(title); m = _escape_ps(message)
Confidence
90% confidence
Finding
subprocess.run(['osascript', f.name], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif PLATFORM == 'windows':
        t = _escape_ps(title); m = _escape_ps(message)
        ps = f'Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show("{m}","{t}")'
        subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)


# ============================================================
Confidence
94% confidence
Finding
subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("", file=sys.stderr)
    print("📦 Tier 2 需要 mineru-open-api(约 30MB,首次安装)。", file=sys.stderr)
    print("   正在安装...", file=sys.stderr)
    r = subprocess.run(['npm', 'install', '-g', 'mineru-open-api'],
                       capture_output=True, text=True, timeout=120)
    if r.returncode != 0:
        print(f"❌ MinerU 安装失败: {r.stderr[:200]}", file=sys.stderr)
Confidence
98% confidence
Finding
r = subprocess.run(['npm', 'install', '-g', 'mineru-open-api'], capture_output=True, text=True, timeout=120)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("🔍 Tier 2: MinerU (flash-extract) ...", file=sys.stderr)

    try:
        result = subprocess.run(
            ['mineru-open-api', 'flash-extract', image_path],
            capture_output=True, text=True, timeout=120
        )
Confidence
97% confidence
Finding
result = subprocess.run( ['mineru-open-api', 'flash-extract', image_path], capture_output=True, text=True, timeout=120 )

Tainted flow: 'cmd' from os.environ.get (line 129, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
tr = f'"{python_exe}" {" ".join(f"{a}" for a in args)}'
    cmd = ['schtasks','/Create','/SC','ONCE','/TN',label,'/TR',tr,
           '/ST','09:00','/SD',alarm_date.strftime('%Y-%m-%d'),'/F']
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
    if r.returncode != 0:
        print(f"  ⚠️ schtasks 失败: {r.stderr}"); return False
    print(f"  ✅ schtasks: {label} → {alarm_date.strftime('%Y-%m-%d')} 09:00")
Confidence
93% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares broad operational behavior—shell execution, file read/write, network access, environment use—without explicit permission disclosure or scoping. That is dangerous because users may authorize a document-processing workflow without understanding it can modify local files, create persistence artifacts, and contact external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose understates several sensitive behaviors: creating/deleting system calendar entries, installing scheduled tasks, sending email through another skill, uploading content to a cloud OCR service, auto-installing packages, and maintaining local tracking state. This mismatch is dangerous because users may provide highly sensitive legal documents under the assumption of simple OCR/archiving, while the skill performs broader persistence and external-transfer actions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document simultaneously says reminders are fully automatic and also says reminder creation requires explicit user confirmation. In a high-sensitivity legal workflow, contradictory instructions increase the chance that an agent creates calendar/email/notification artifacts without consent, leaking case metadata or causing unintended actions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill gives inconsistent guidance on whether existing case folders are auto-archived into or require lawyer confirmation. That inconsistency can cause silent writes into the wrong case file, especially with common names or ambiguous matches, corrupting legal records and exposing confidential documents to unrelated matter folders.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs extraction and use of platform credentials, default passwords, SMS verification codes, and phone-number-derived codes as part of processing. Handling authentication material broadens the skill from document organization into credential use, increasing the risk of unauthorized account access, overcollection of secrets, and accidental disclosure in logs or archives.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The generated report tells the user reminders will be created only after replying with confirmation, but the main flow later auto-executes reminder creation unless --no-remind is set. In this skill context, reminder creation spans calendar, local notifications/desktop artifacts, and QQ email, so the mismatch can trigger unintended external actions and data disclosure without informed user consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script description promises a parse/download/archive/report pipeline, but the implementation also performs outbound reminder actions by default. In an agent skill handling sensitive litigation documents, hidden side effects are risky because they can leak case details into calendars, notifications, emails, or shared local environments unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script contains an automatic package installation routine that adds global software to the host from the network during normal document processing. That behavior is not necessary for safe OCR ingestion and expands the attack surface through supply-chain compromise and unauthorized host modification.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill auto-creates new case folders and directory structures without clear upfront warning about filesystem changes. While aligned with the skill's purpose, silent creation can still confuse users, clutter sensitive workstations, or create misfiled legal matter directories that appear authoritative.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill routes document images to MinerU cloud OCR but does not prominently warn that legal documents and court materials may be uploaded to an external service. This is especially dangerous in a litigation context because filings, summonses, judgments, and party data can contain privileged, personal, or regulated information.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill automatically sends QQ email reminders containing case metadata without a clear front-loaded warning about external transmission. In legal workflows, even basic reminder content can reveal case numbers, parties, courts, and hearing dates to third-party infrastructure or misconfigured mailboxes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.