Back to skill

Security audit

Litigation Hub

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent legal-document workflow, but it handles sensitive case data with hardcoded external email delivery, silent global package installation, broad local persistence, and under-scoped automation.

Install only after confirming the QQ recipient is yours, disabling or changing external email delivery if needed, approving any npm dependency installation yourself, and understanding that the skill will store legal SMS/archive data locally and create calendar or scheduled reminder jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (67)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
    f.write(script)
    f.close()
    result = subprocess.run(['osascript', f.name], capture_output=True, text=True)
    os.remove(f.name)
    if result.returncode != 0:
        print(f"  AppleScript error: {result.stderr}")
Confidence
98% confidence
Finding
result = subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
    f.write(script)
    f.close()
    subprocess.run(['osascript', f.name], capture_output=True, text=True)
    os.remove(f.name)
Confidence
98% confidence
Finding
subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
t = title.replace('"', '\\"')
    m = message.replace('"', '\\"')
    script = f'display notification "{m}" with title "{t}" sound name "{sound}"'
    result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)
    if result.returncode != 0:
        print(f"  ⚠️ 系统通知弹出失败: {result.stderr}")
        return False
Confidence
91% confidence
Finding
result = subprocess.run(['osascript', '-e', script], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Write-Output "OK"
'''

    result = subprocess.run(
        ['powershell', '-NoProfile', '-Command', ps_script],
        capture_output=True, text=True, timeout=30
    )
Confidence
97% confidence
Finding
result = subprocess.run( ['powershell', '-NoProfile', '-Command', ps_script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}}
Write-Output ($toDelete.Count)
'''
    subprocess.run(
        ['powershell', '-NoProfile', '-Command', ps_script],
        capture_output=True, text=True, timeout=30
    )
Confidence
96% confidence
Finding
subprocess.run( ['powershell', '-NoProfile', '-Command', ps_script], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
'/SD', alarm_dt.strftime('%Y-%m-%d'),
        '/F'
    ]
    subprocess.run(cmd, capture_output=True, text=True, timeout=15)


def _windows_schedule_email_script(uid_hash, label, alarm_dt, python_exe, script_dir, hour, minute):
Confidence
93% confidence
Finding
subprocess.run(cmd, capture_output=True, text=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif PLATFORM == 'windows':
        t = _escape_ps(title); m = _escape_ps(message)
        ps = f'Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show("{m}","{t}")'
        r = subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)
        return r.returncode == 0
    else:
        print(f"  ℹ️ {PLATFORM} 不支持即时弹窗(已生成桌面提醒文件兜底)")
Confidence
95% confidence
Finding
r = subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'  end tell\nend tell')
    f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
    f.write(script); f.close()
    r = subprocess.run(['osascript', f.name], capture_output=True, text=True)
    os.remove(f.name)
    if r.returncode == 0:
        print(f"  📅 Apple Calendar: {summary}")
Confidence
93% confidence
Finding
r = subprocess.run(['osascript', f.name], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tr = f'"{python_exe}" {" ".join(f"{a}" for a in args)}'
    cmd = ['schtasks','/Create','/SC','ONCE','/TN',label,'/TR',tr,
           '/ST','09:00','/SD',alarm_date.strftime('%Y-%m-%d'),'/F']
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
    if r.returncode != 0:
        print(f"  ⚠️ schtasks 失败: {r.stderr}"); return False
    print(f"  ✅ schtasks: {label} → {alarm_date.strftime('%Y-%m-%d')} 09:00")
Confidence
95% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = f'display notification "{m}" with title "{t}"'
        f = tempfile.NamedTemporaryFile(mode='w', suffix='.scpt', delete=False, encoding='utf-8')
        f.write(script); f.close()
        subprocess.run(['osascript', f.name], capture_output=True)
        os.remove(f.name)
    elif PLATFORM == 'windows':
        t = _escape_ps(title); m = _escape_ps(message)
Confidence
94% confidence
Finding
subprocess.run(['osascript', f.name], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
elif PLATFORM == 'windows':
        t = _escape_ps(title); m = _escape_ps(message)
        ps = f'Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show("{m}","{t}")'
        subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)


# ============================================================
Confidence
96% confidence
Finding
subprocess.run(['powershell','-NoProfile','-Command',ps], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _install_mineru():
    """自动安装 mineru-open-api"""
    print("📦 正在安装 MinerU OCR(仅首次需要,约需 30 秒)...", file=sys.stderr)
    r = subprocess.run(['npm', 'install', '-g', 'mineru-open-api'],
                       capture_output=True, text=True, timeout=120)
    if r.returncode != 0:
        print(f"❌ MinerU 安装失败: {r.stderr}", file=sys.stderr)
Confidence
96% confidence
Finding
r = subprocess.run(['npm', 'install', '-g', 'mineru-open-api'], capture_output=True, text=True, timeout=120)

Tainted flow: 'cmd' from os.environ.get (line 129, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
tr = f'"{python_exe}" {" ".join(f"{a}" for a in args)}'
    cmd = ['schtasks','/Create','/SC','ONCE','/TN',label,'/TR',tr,
           '/ST','09:00','/SD',alarm_date.strftime('%Y-%m-%d'),'/F']
    r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
    if r.returncode != 0:
        print(f"  ⚠️ schtasks 失败: {r.stderr}"); return False
    print(f"  ✅ schtasks: {label} → {alarm_date.strftime('%Y-%m-%d')} 09:00")
Confidence
90% confidence
Finding
r = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes broad capabilities including shell execution, filesystem reads/writes, environment access, browser automation, network downloads, and persistence, yet declares no explicit permissions or trust boundaries. That mismatch is dangerous because users and hosting platforms cannot meaningfully consent to or constrain actions involving sensitive court documents and local system modifications.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill states that it will automatically install a global npm package for OCR 'without user awareness'. Silent installation of external tooling expands the trusted code base at runtime and introduces supply-chain risk, especially on a system handling confidential legal materials.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill instructs deriving a court-site verification code from the lawyer's stored phone number and using it automatically for access. This repurposes personal account data as an authentication factor and can bypass meaningful user consent for access to sensitive court records.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill hardcodes a specific QQ email address as the reminder recipient, creating a built-in data exfiltration path for confidential case information. Because the address is fixed rather than user-configured per case, users may unknowingly disclose privileged litigation details to an unintended mailbox.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
Claiming 'no extra configuration needed' is misleading given the documented dependencies, scheduler setup, email integration, and fixed routing behavior. Misleading setup claims weaken informed consent and increase the chance that users enable sensitive automation without understanding what external systems and credentials are involved.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script silently adds package-management behavior to an OCR workflow by auto-installing a global npm package at runtime. In this skill context, that is especially dangerous because a document-processing helper should not mutate the host or fetch executable dependencies on demand; doing so creates avoidable supply-chain exposure and increases the blast radius on user machines handling sensitive legal materials.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly says OCR tooling is auto-installed with the user unaware. Concealing software installation is a security and trust problem because it prevents informed approval of new code that will process sensitive files and run with local privileges.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill advertises automatic download, OCR, archival, and reminder workflows for court documents without an upfront privacy and data-handling warning. Given the highly sensitive nature of litigation materials, omission of such disclosure makes accidental over-collection and over-retention more dangerous.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill sends reminder emails to a fixed QQ mailbox without prominently warning users in the main description or obtaining per-case consent. This creates a hidden disclosure channel for case metadata and potentially linked documents outside the local machine.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The archive format explicitly requires storing complete raw SMS text, extracted case details, source delivery URLs, and download parameters in JSON records. In this litigation context, those fields can contain personally identifiable information, court case numbers, delivery tokens, and other sensitive legal metadata that could enable unauthorized disclosure or misuse if the archive is accessed by other users, malware, backups, or logs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The spec marks `sms_raw` as required and says the original SMS must be preserved in full, even though the example includes names, court identity, case number, and service link. For a system handling court notices, this creates a concentrated store of sensitive legal communications whose exposure could reveal litigation status, personal identities, and procedural deadlines.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The format requires storing extracted URL parameters and full API responses, including identifiers like `qdbh`, `sdbh`, `sdsin`, court metadata, document IDs, and timestamps. In this skill, such values may function as access tokens, document locators, or sensitive case references, so retaining them broadly increases the blast radius of any archive leak and may permit replay or unauthorized retrieval of court documents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.