Security audit

Post-doc Fellowship Matcher

Security checks across malware telemetry and agentic risk

Overview

This is a small local fellowship-matching helper; its main issue is incomplete matching logic, not hidden or harmful behavior.

Install only if you want a simple local checklist for possible postdoc fellowships. Treat the output as preliminary, because research-field filtering is not actually implemented and deadlines or eligibility rules may be stale; verify field fit, nationality rules, years-since-PhD limits, and deadlines with the official fellowship sites before relying on the results.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill claims to match fellowships using nationality, years since PhD, and research field, but the implementation ignores the field parameter entirely. This can produce materially incorrect eligibility results and mislead applicants into relying on recommendations that do not reflect stated criteria, especially where fellowships are field-restricted.

Intent-Code Divergence

Low

Confidence: 91% confidence
Finding: The function signature and documentation imply complete applicant matching, yet one of the accepted inputs is ignored. This mismatch is a security-relevant integrity issue because users and downstream agents may trust the output as comprehensive when it is not, causing silent logic errors rather than obvious failures.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal