Back to skill

Security audit

corporate lawyer

Security checks across malware telemetry and agentic risk

Overview

This legal-assistant skill is not malicious, but it needs review because it invites sensitive contract and business data while using broad legal-help activation rules.

Install only if you intend to use it as a legal drafting and issue-spotting aid, not as final legal advice. Avoid submitting privileged, highly confidential, or regulated contracts unless your environment has approved privacy controls, and review any referenced Python package or GitHub source before running the install commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation rules are broad enough to trigger on general legal or business questions, which can cause the skill to engage when the user did not intend specialized legal-assistant behavior. In this context, unintended invocation matters because the skill may produce authoritative-sounding legal guidance, document drafting, or risk assessments in situations where narrower routing or clearer consent should be required.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.