Security audit

Cue Person Check

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Cue person-background-check workflow that can handle sensitive due-diligence topics and consume credits, but it requires user confirmation before running.

Install only if you intend to use Cue for public-data person or related-entity due-diligence research. Confirm the exact subject and purpose before running, expect Cue credits to be consumed, keep the Cue API key private, and review the external cue-skills runner source because the skill asks the agent to clone or update and execute it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very broad phrases such as '全网检索' and generic person-check terms, which can cause the skill to activate in contexts beyond intended due-diligence workflows. Over-broad activation increases the chance of unintended execution of external-research guidance, including prompting users into credit-consuming or privacy-sensitive investigations without clear scope validation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal