Back to skill

Security audit

LegalDoc AI

Security checks across malware telemetry and agentic risk

Overview

LegalDoc AI is a coherent legal-document tool, but users should be careful with client data, external research queries, local deadline storage, and California-only deadline rules.

Install only after verifying the publisher and any claimed compliance certifications. Avoid using privileged client facts in external research queries, protect or periodically delete the local ~/.legaldoc deadline database, and independently verify all summaries, clauses, citations, and especially deadlines before using them in legal work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill claims 'No document storage' while elsewhere documenting local storage paths and version/history features, creating a misleading security representation. In a legal-document context, users may rely on that assurance when handling privileged or regulated materials, increasing the risk of improper data handling and policy noncompliance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages users to process highly sensitive legal documents, litigation materials, and deadline data, but it does not clearly disclose what data leaves the local environment, what third parties may receive it, how long data is retained, or what notification/integration channels expose metadata. In a legal context, this omission is risky because users may assume attorney-client-sensitive content is safe to upload or process without understanding privacy, confidentiality, and privilege implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill supports deadline alerts via email and Slack but does not clearly warn that matter-related information may be transmitted to third-party communication systems. For legal workflows, even limited deadline descriptions, matter IDs, or client references can expose confidential or privileged information if sent to external channels or misconfigured recipients.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest explicitly requests file read/write and HTTP network access and expects multiple API keys, but it provides no user-facing disclosure about what legal documents or metadata may be transmitted externally, stored, or shared with third-party services. In a legal-document skill handling potentially privileged, regulated, and highly sensitive client material, this omission creates a real security and privacy risk because users may unknowingly expose confidential data to external providers or integrations.

Natural-Language Policy Violations

High
Confidence
92% confidence
Finding
The skill hard-codes California statute-of-limitations rules while exposing a generic legal deadline calculator interface, which can cause users in other jurisdictions to rely on incorrect deadlines without explicit locale selection or warning. In a legal-deadline context, silent jurisdiction mismatch can lead to missed filing deadlines, forfeited claims, or malpractice-grade operational harm.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill prints summaries derived from potentially sensitive legal documents directly to stdout, including party names, monetary terms, dates, obligations, and risk indicators. In agent, pipeline, or logging environments, stdout is often captured, persisted, or forwarded, which can unintentionally disclose confidential legal information beyond the intended recipient.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends the user's legal research query to CourtListener over the network without any explicit disclosure or consent mechanism. Legal queries can contain sensitive facts, client names, litigation strategy, or privileged matter identifiers, so silent transmission to a third-party service creates a real confidentiality and privacy risk even though the endpoint is legitimate.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Optional dependencies for enhanced functionality

# PDF parsing
pypdf>=3.0.0

# Word document parsing
python-docx>=0.8.11
Confidence
98% confidence
Finding
pypdf>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pypdf>=3.0.0

# Word document parsing
python-docx>=0.8.11

# OCR support (for scanned documents)
pytesseract>=0.3.10
Confidence
98% confidence
Finding
python-docx>=0.8.11

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-docx>=0.8.11

# OCR support (for scanned documents)
pytesseract>=0.3.10
Pillow>=9.0.0

# Database (SQLite is built-in, but this adds connection pooling)
Confidence
98% confidence
Finding
pytesseract>=0.3.10

Unpinned Dependencies

Low
Category
Supply Chain
Content
# OCR support (for scanned documents)
pytesseract>=0.3.10
Pillow>=9.0.0

# Database (SQLite is built-in, but this adds connection pooling)
# sqlite-utils>=3.30
Confidence
98% confidence
Finding
Pillow>=9.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# sqlite-utils>=3.30

# API client improvements
requests>=2.28.0
urllib3>=2.0.0

# Date/time handling
Confidence
98% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# API client improvements
requests>=2.28.0
urllib3>=2.0.0

# Date/time handling
python-dateutil>=2.8.2
Confidence
98% confidence
Finding
urllib3>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
urllib3>=2.0.0

# Date/time handling
python-dateutil>=2.8.2

# YAML configuration
PyYAML>=6.0
Confidence
98% confidence
Finding
python-dateutil>=2.8.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dateutil>=2.8.2

# YAML configuration
PyYAML>=6.0

# Rich CLI output (optional)
rich>=13.0.0
Confidence
98% confidence
Finding
PyYAML>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
PyYAML>=6.0

# Rich CLI output (optional)
rich>=13.0.0

# For development/testing
pytest>=7.0.0
Confidence
97% confidence
Finding
rich>=13.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
rich>=13.0.0

# For development/testing
pytest>=7.0.0
pytest-cov>=4.0.0
black>=23.0.0
mypy>=1.0.0
Confidence
96% confidence
Finding
pytest>=7.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# For development/testing
pytest>=7.0.0
pytest-cov>=4.0.0
black>=23.0.0
mypy>=1.0.0
Confidence
96% confidence
Finding
pytest-cov>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# For development/testing
pytest>=7.0.0
pytest-cov>=4.0.0
black>=23.0.0
mypy>=1.0.0
Confidence
96% confidence
Finding
black>=23.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytest>=7.0.0
pytest-cov>=4.0.0
black>=23.0.0
mypy>=1.0.0
Confidence
96% confidence
Finding
mypy>=1.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.