Security audit

Labor Arbitration

Security checks across malware telemetry and agentic risk

Overview

This labor arbitration skill is coherent and purpose-aligned, but users should handle the personal and legal information it processes carefully.

Install only if you want labor-arbitration help and are comfortable processing sensitive employment and identity information locally. Verify submission links through official government or hotline channels, do not share platform credentials with the agent, and keep generated documents in a secure folder because they may contain ID numbers, addresses, phone numbers, wage details, and employer information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill instructs the agent to read multiple local reference files and invoke a document-generation script that writes output, but no permissions are declared. This creates a mismatch between the skill's effective capabilities and its declared security posture, increasing the risk of unauthorized file access or unsafe execution if the platform relies on explicit permission declarations for enforcement or review.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: The trigger description uses broad labor-dispute keywords and expansive phrasing, which can cause the skill to activate in loosely related conversations. Over-triggering can expose sensitive employment or legal information to the skill unnecessarily and may cause the agent to perform file/script-backed actions in contexts where the user did not intend to invoke this workflow.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide instructs users to submit highly sensitive personal data, including identity numbers and biometric verification, but does not warn them to verify official platforms, minimize disclosure, or understand retention and privacy risks. In a labor-arbitration skill, users are likely to be vulnerable individuals under stress, which increases the chance they will follow the instructions without scrutinizing data-handling practices or phishing risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes highly sensitive personal data such as身份证号、住址、电话 and employer identifiers directly into plaintext Markdown files on disk. In the context of a labor-arbitration assistant, handling real claimant data is expected, but persisting it without any minimization, warning, access-control guidance, or optional redaction increases the risk of local disclosure, accidental syncing, backup exposure, or mishandling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal