Security audit

Cue Research

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its research purpose, but its optional mimic feature can upload arbitrary local documents to Cue despite a separate safety statement saying local materials are not uploaded.

Install only if you are comfortable with Cue API access, local report files under ~/cue-reports, and the cue-buddy sibling dependency. Do not use --mimic-file with confidential, internal, personal, medical, financial, or client documents unless you intentionally want that file sent to Cue's backend.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly instructs the agent to read and write local files, including loading sibling scripts and persisting reports to ~/cue-reports, but it declares no permissions. This creates a transparency and containment problem: operators may approve a seemingly low-privilege research skill without realizing it can access and persist local data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description frames the skill as public-data research, but the body adds materially different behaviors: local file upload for mimic mode, fetching arbitrary mimic URLs, and local filesystem persistence. That mismatch can mislead users and policy systems into exposing local content or externalizing data in ways they did not anticipate.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The self-upgrade feature allows the skill to pull and change its own code from a remote source, which is outside the core research purpose. Any automatic or user-confirmed upgrade path increases supply-chain risk, especially when the skill recommends silent update checks at session start.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is explicitly described as public-data research only, but the runner accepts `--mimic-file` and uploads an arbitrary local file to a remote service via `upload_file()`. That creates a data-exfiltration path inconsistent with the stated scope, and an agent could inadvertently send private local documents under the guise of style mimicry.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The local document upload feature is not necessary for the core stated purpose of running public-data research, yet it enables transmission of arbitrary local content to the backend. Because this capability is adjacent to but broader than the skill's advertised function, it increases the chance of misuse or accidental disclosure of sensitive files.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill writes reports and possibly failure stubs to local disk in the main flow, but the user-facing flow does not consistently foreground that local persistence before execution. This can leave sensitive research prompts, rewritten mandates, or generated reports stored on disk longer than the user expects.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: When `--mimic-file` is used, the code uploads a local file to a remote service immediately, but the user-facing flow only says the sample is being uploaded and does not provide a meaningful warning about external transmission or privacy risk. This can cause users or agents to disclose confidential local documents without informed consent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal