Security audit

Cue Private Fund Dd

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but its setup asks users to fetch and run external Git repository code, which should be reviewed before use.

Before installing, make sure you trust the external repository, review the code that will run, and prefer pinning to a known commit or release instead of auto-updating from the latest branch.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to clone or update and then execute code from an external Git repository in order to perform its task. For a due-diligence research skill, this expands capabilities beyond simple research into software acquisition and code execution, creating supply-chain and arbitrary-code-execution risk if the repository, mirror, or fetched revision is malicious or compromised.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal