Skills
skills/casperliu7/small-company-agent/Legal Manager Skill/Gen Agent Trust Hub

Legal Manager Skill

Warn

Audited by Gen Agent Trust Hub on Jun 1, 2026

Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill contains a 'Iron Rule' (铁律) section that explicitly commands the agent to override standard operating procedures. It instructs the agent to 'not ask any questions', 'not say do you need me to...', and 'directly execute the entire process' upon receiving a file. This is a behavioral override designed to bypass the agent's natural deliberation and safety checkpoints.
  • [DATA_EXFILTRATION]: The workflow involves extracting high-value sensitive data, including contract parties, amounts, dates, and key legal clauses, and automatically sending this summary to an external WeCom webhook via the wecom_push.py script. While presented as a feature, it establishes a persistent channel for moving sensitive private and business data out of the local environment.
  • [COMMAND_EXECUTION]: The skill heavily relies on executing shell commands and local Python scripts located in <skill_dir>/scripts/ (e.g., seal_signature_detector.py, wecom_push.py, daily_patrol.py). The logic within these scripts is not provided, representing a reliance on opaque executable content.
  • [EXTERNAL_DOWNLOADS]: The instructions reference a system-level tool located at /system/.agents/skills/buda-far/far_gen.py for metadata generation. This indicates a dependency on external/systemic resources that may not be controlled by the skill's own environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection as it is designed to automatically ingest and parse untrusted external files (PDFs, Word documents, images) using OCR and parsing tools. Because the 'Iron Rules' mandate immediate execution without user confirmation, a malicious document containing hidden agent instructions could trigger unauthorized actions.
  • Ingestion points: SKILL.md (Contract archiving workflow handles external PDF/Word/images).
  • Boundary markers: None identified; the skill is instructed to process all content as the 'original' document.
  • Capability inventory: The skill has access to Bash, Write, Edit, and Glob tools, enabling file system modification and command execution.
  • Sanitization: There is no evidence of sanitization or safety filtering for the content extracted from parsed documents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 1, 2026, 02:33 AM
Security Audit — agent-trust-hub — Legal Manager Skill