心理学文献搜索与整理

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a literature-search helper, but its documentation and runtime instructions inconsistently request optional Web of Science/Springer credentials and provider use that the declared implementation does not clearly support.

Install only if you are comfortable with public literature queries being sent to PubMed/Semantic Scholar and with AI translation/formatting of abstracts. Do not paste or store Web of Science, Springer, or other API keys unless the publisher clarifies exactly how those keys are used and updates the documentation to match the actual scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The README materially overstates the skill's capabilities and data sources by claiming support for Web of Science and Springer Nature, while the stated skill metadata says the skill uses PubMed and Semantic Scholar only. This kind of scope drift can mislead users and downstream systems about what external services are contacted, what data is processed, and what credentials may be requested, which is a real security and trust problem even if it is not direct code execution.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: Documenting undeclared enrichment features such as journal ranking, SSCI status, and impact factor creates a mismatch between advertised behavior and declared scope. That can cause users to disclose extra credentials or rely on outputs whose provenance and processing are not transparently described, undermining informed consent and safe deployment.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The template instructs the agent to use Web of Science and Springer Nature even though the skill metadata says it should operate with PubMed and Semantic Scholar only. This kind of scope drift can cause the agent to rely on undeclared data sources, make unsupported network requests, or produce outputs that misrepresent provenance and capabilities.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: Requiring `journal_level.py` introduces an undeclared dependency and capability not described in the skill metadata. Hidden tool dependencies are risky because they can trigger unexpected code paths, fail unpredictably, or encourage the agent to fabricate results when the tool is unavailable.

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: The fallback section references WoS and Springer API-key contingencies that directly contradict the stated no-key PubMed/Semantic Scholar design. This inconsistency is more dangerous than a documentation typo because it can drive the agent to attempt undeclared external access patterns and obscure what data is actually being transmitted to third parties.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough to match ordinary research requests, increasing the chance that the skill activates when the user did not explicitly intend to invoke it. Over-broad activation can cause unintended network queries, unexpected data processing, and confusing substitution of this skill for other tools, which is a real safety issue in agentic systems.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The English triggers include generic phrases like 'find papers' and 'organize papers into a table,' which lack clear boundaries and can overlap with normal assistant behavior. In a skill-routing environment, that ambiguity increases the likelihood of unintended activation and external lookups without sufficiently specific user consent.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: Forcing Chinese translation and bilingual output as a default behavior without user opt-in can expose retrieved content to additional processing steps the user did not request. That creates privacy, compliance, and expectation risks, especially when abstracts or research text may be sent through translation or AI post-processing pipelines.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The technical section states that Chinese translation is performed by built-in AI as a fixed behavior, which implies automatic secondary processing of fetched content. In security-sensitive deployments, mandatory AI transformation without explicit consent increases data handling risk and may violate user expectations or organizational policy.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs writing a markdown report into the workspace without clearly requiring prior user consent for local file modification. In agent environments, silent file creation can overwrite existing work, leave sensitive research artifacts on disk, or normalize unauthorized filesystem changes.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal