Security audit

Cue Deep Verification

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Cue deep-verification research helper that uses public-source research and requires user confirmation before spending credits.

Install this if you intentionally use Cue for deep verification research. Before running it, confirm you trust the Cue runner source, understand it may update code under ~/.cue/cue-skills, and approve any credit-consuming research prompt only for the exact subject you want checked.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad phrases such as "fact check" and "cross-source verification," which can plausibly appear in ordinary user requests and may cause the skill to activate when the user did not explicitly intend to invoke this external-research workflow. In this skill, unintended activation is more concerning because the workflow can lead to cloning code, network access, and credit-consuming research actions after follow-on steps, increasing the blast radius of an overly broad trigger.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal