Back to skill

Security audit

Academic Paper

Security checks across malware telemetry and agentic risk

Overview

This is mostly a prompt-only academic writing skill, but it needs review because some optional verification paths can send manuscript or source data to outside model providers and are not clearly gated by user consent.

Install only if you are comfortable processing manuscript text, reviewer comments, references, and figures through AI workflows. Do not enable cross-model or VLM verification for confidential, unpublished, regulated, or proprietary work unless you understand which provider receives the data. Use a dedicated project folder, review all citation and formatting changes before submission, and avoid storing API keys in persistent shell profiles on shared machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
Instructing the agent to consult journal websites introduces external retrieval behavior beyond formatting, which expands the trust boundary and can cause prompt injection, policy drift, or incorporation of untrusted remote content into outputs. In an agent pipeline, web-derived instructions or malformed guidance from journal pages could influence formatting decisions, disclosures, or submission artifacts without clear user approval or validation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The guide documents operational modes that diverge from the skill's declared interface, which can cause the routing agent or users to invoke unsupported behavior. In a multi-agent pipeline, this inconsistency increases the chance of incorrect delegation, bypassed safeguards, failed executions, or unexpected fallbacks that may mishandle user data or produce misleading outputs.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide omits a declared disclosure mode and instead directs users into an undeclared deep-research dependency, creating undocumented control flow and hiding a supported safety-relevant path. Because this skill handles academic writing and AI disclosure, omission of disclosure behavior can lead to noncompliant outputs, while undocumented dependencies can route data into unintended agent workflows.

Description-Behavior Mismatch

Low
Confidence
82% confidence
Finding
The guide introduces revision-coach trigger behavior without corresponding detailed mode semantics, which creates ambiguity about what data the mode consumes, what actions it can take, and what safeguards apply. That ambiguity can cause an agent to over-collect paper drafts, reviewer comments, or sensitive academic material under an ill-defined path.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes broad English and Chinese phrases such as "write paper," "academic paper," and "guide my paper," which can match ordinary user requests and invoke the skill unexpectedly. In an open-ended agent environment, unintended activation can route sensitive draft content into a multi-agent workflow and apply automated actions the user did not explicitly request.

Vague Triggers

Medium
Confidence
68% confidence
Finding
The activation wording is broad enough that the agent could run in contexts where the user did not explicitly request citation compliance actions, increasing the chance of unintended processing of drafts and references. In a multi-agent pipeline, underspecified routing can cause the wrong agent to modify content or perform unnecessary checks, especially because this agent is authorized to auto-correct directly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill authorizes direct modification of user draft content without a clear up-front warning or consent boundary. In this context, silent edits to academic text can alter meaning, attribution, or evidence presentation, creating integrity and trust risks even if the intent is helpful.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instruction to auto-correct silently is the strongest true risk in this file because it permits unannounced changes to scholarly content and citations. In an academic-writing pipeline, silent modifications can distort source attribution, introduce factual or citation errors, and make it difficult for the user to audit what changed, which materially increases integrity and compliance risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The plan-mode trigger phrases are broad enough that ordinary user requests like 'help me plan my paper' or 'step by step' can unintentionally route the skill into a simplified 3-question path. That can bypass the fuller intake process, causing incorrect mode selection, incomplete parameter collection, and mis-handoffs to downstream agents, which is a real workflow integrity issue in a multi-agent pipeline.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The operational mode table relies on short, vague phrases such as 'Write a paper' or 'Literature review' without disambiguation rules, making accidental or adversarial prompt steering easy. In this skill, mode determines what data is collected and which downstream agents run, so ambiguous activation can produce the wrong workflow, skip required checks, or process incomplete materials.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The frontmatter description is generic enough that an orchestrator or trigger-matching layer could invoke this agent outside its intended phase, causing it to act on loosely related prompts or user content. In a multi-agent academic-writing pipeline, overly broad activation increases the chance of unintended delegation, unnecessary external searching, and processing of user-provided corpus material without the tighter context that should come from the intake phase.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The edge-case rule defaults to English-primary plus attempted Chinese search when language preference is unspecified, which can override user autonomy or system language-choice policy. While not a classic security exploit, it can cause unintended cross-language retrieval and disclosure of user topics to additional external sources or databases, especially in workflows that perform automated search delegation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad natural-language phrases such as "help me with my revision" and "parse these reviews," which can plausibly appear in ordinary user conversation and cause unintended activation of this standalone agent. In a multi-skill environment, overbroad triggers can route user input to the wrong skill, exposing pasted reviewer comments, draft text, or editor letters to an unintended workflow and causing confusing or unsafe task execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs sending rendered figures and source data to a VLM for verification, but it provides no user-facing consent flow, privacy notice, or data-classification check before sharing content externally. In an academic-paper pipeline, datasets and figures may contain unpublished results, sensitive human-subject data, or proprietary material, so silent transfer to another model/service creates a real confidentiality and compliance risk.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Broad trigger phrases like 'help me with my revision' overlap with common conversational language and can activate the skill when the user did not intend to invoke this academic-paper workflow. Unintended activation is risky in a skill that may ingest large text bodies, reviewer feedback, or draft manuscripts, leading to unnecessary data exposure and confusing or unsafe task routing.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Forcing bilingual output, including zh-TW, without explicit user choice can cause unintended disclosure of user content through translation and may violate user expectations, institutional policy, or submission requirements. In academic contexts, language conversion can also alter meaning or reveal sensitive draft content to additional processing stages unnecessarily.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Abstract-only mode hardcodes zh-TW + EN output, which removes user control over language handling and can trigger unnecessary translation of potentially unpublished research content. This is especially problematic for academic workflows where exact wording, embargoed material, and venue-specific language requirements matter.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation logic is intentionally broad and defaults ambiguous requests to plan mode, which can cause the skill to trigger on generic academic-help prompts the user did not clearly map to this workflow. In a multi-skill agent environment, this creates routing ambiguity and increases the chance of unintended invocation, potentially leading to confusing behavior, unnecessary data collection through probing questions, or bypass of a more appropriate skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The protocol explicitly recommends sending rendered figure images and source data to a vision-capable LLM, but it provides no notice, consent step, or data-classification guardrails. In an academic-paper pipeline, figures and underlying data may contain unpublished results, regulated data, or confidential material, so silent transmission to an external model provider can cause privacy, confidentiality, or IP leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The verification loop operationalizes external sharing by instructing the system to send the figure image, source data, and checklist to a VLM, yet it omits any confidentiality warning or approval gate. Because this occurs in an automated refinement loop, the skill context makes it more dangerous: users may not realize multiple transmissions can happen, increasing exposure of sensitive research data or unpublished figures.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The protocol states that a successful override causes the orchestrator to auto-inject a disclosure addendum into the manuscript and describes it as non-removable, but it does not require an explicit user-facing notice or confirmation at the point of modification. In a writing pipeline that edits user manuscripts, silent or forced content modification is a real integrity and consent risk, especially if the manuscript is later exported or submitted without the user noticing the inserted text.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The non-pipeline invocation path says the agent writes compliance reports to a local file path, but it does not specify a user-facing warning, consent prompt, or retention/placement controls. Even though the write target is documented, creating local audit files can unexpectedly persist sensitive manuscript or compliance metadata on disk, which is a legitimate privacy and operational security concern.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol explicitly instructs agents to send reference text, citation context, and reviewed material to third-party model providers, but it does not require a clear user-facing disclosure or consent step before that transfer. In an academic workflow, those materials may contain unpublished research, peer review content, or sensitive manuscript text, creating a real privacy and confidentiality risk rather than a purely theoretical one.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup guide tells users to place API keys in persistent shell profiles, which can leave secrets stored long-term in plaintext configuration files and inherited by future sessions. Without warnings about file permissions, shared machines, shell history, or safer secret-storage alternatives, this increases the chance of credential exposure.

Hidden Instructions

High
Category
Prompt Injection
Content
When emitting any citation in the draft body, write the citation in two layers:

1. **Visible layer**: standard author-year form (e.g. `Smith (2024)` or `(Smith, 2024)`).
2. **Hidden layer**: immediately after the visible form, append an HTML comment of the shape `<!--ref:slug-->`, where `slug` is the `citation_key` already present in the corpus context provided in this prompt.

Examples: `Smith (2024) <!--ref:smith2024-->` or `(Smith, 2024)<!--ref:smith2024-->`.
Confidence
95% confidence
Finding
<!--ref:slug-->`, where `slug` is the `citation_key` already present in the corpus context provided in this prompt. Examples: `Smith (2024) <!--ref:smith2024-->` or `(Smith, 2024)<!--ref:smith2024-->

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.