Security audit

Cue Legal Research

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Cue-based legal and industry research helper, with clear credit confirmation and no bundled executable code.

Install this only if you are comfortable using Cue for legal and business research, cloning an external runner into ~/.cue, and letting that runner read your Cue API key. Treat outputs as research with sources, not legal advice, and confirm credit use before each run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger text is very broad, covering multiple high-sensitivity domains such as legal research, regulatory policy, and due diligence without clear activation boundaries or qualification rules. In an agent setting, this can cause the skill to activate for loosely related prompts and steer the model into operational guidance or external tool use in contexts the user did not clearly request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal