Policy Lawyer 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward local policy lookup helper with no evidence of hidden network access, credential use, destructive behavior, or persistence.

Install this as a local policy reference helper. Use the --policy-file option only for policy files you intend the agent to read, and treat the policy text’s advice about logging sensitive actions as guidance that still requires normal redaction and access control.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises behavior that relies on reading workspace files and invoking a CLI script, but the manifest does not declare corresponding permissions. That mismatch can bypass user expectations and platform policy checks, making it easier for a seemingly low-risk documentation skill to access local content or execute shell-backed commands without explicit review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal