Pre judgment of similar cases wdy

Security checks across malware telemetry and agentic risk

Overview

This legal-search skill does what it says, but it can automatically send sensitive dispute details to a third-party API without a required consent or redaction step.

Review before installing. Use this only if you are comfortable sending legal questions or case descriptions to WenDaoYun. Redact names, ID numbers, phone numbers, addresses, account details, and other private facts before lookup, and treat results as research support rather than legal advice. Keep WENDAOYUN_API_KEY in an environment variable and rotate it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are broad enough to match ordinary conversation about disputes, debt, injury, or general legal questions, which can cause the skill to activate without clear user intent. In this skill's context, accidental activation is more dangerous because it can send sensitive case descriptions and personal data to a third-party legal API, creating privacy and consent risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal