Back to skill

Security audit

Ars Academic Pipeline

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate academic workflow, but it needs Review because it can persist research/session history and optionally send manuscript material to third-party AI APIs without clear per-run consent.

Install only if you are comfortable with an academic pipeline that stores project state and generated artifacts locally, may retain stage outputs in long-term memory, and can send research content to external AI providers when cross-model verification is enabled. Before using it with unpublished, confidential, regulated, or peer-review material, disable ARS_CROSS_MODEL unless you explicitly want third-party verification, avoid adding API keys you do not intend it to use, and decide where generated process records and final packages should be stored.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
Optional cross-model verification sends sampled references to an external model/API, creating a data egress surface not clearly disclosed in the manifest. Even if only references are shared, unpublished manuscripts, niche source lists, or confidential research topics could be exposed to third-party services, and the feature explicitly continues on graceful degradation rather than enforcing user consent or policy checks.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document declares Stage 2.5 and Stage 4.5 integrity checks as mandatory and non-skippable, but later allows users to 'Continue to next stage' after exceeding three failed correction rounds with only a 'partially unverified' warning. In this pipeline, that contradiction can be operationalized to bypass verification gates and move unverified academic content into review, formatting, and final delivery, undermining the core safety control of the workflow.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The protocol explicitly says the orchestrator will auto-inject a disclosure addendum into the manuscript, which is a side effect outside the described delegate-only stage orchestration. Even though the behavior is compliance-motivated rather than malicious, undocumented automatic content mutation can surprise users, bypass expected review checkpoints, and create integrity or provenance issues if manuscript edits occur without explicit approval at that stage.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The protocol permits writing compliance reports to a local filesystem path during standalone invocation, introducing persistence not described in the manifest. Undeclared file writes can leak sensitive research content, violate sandbox or least-privilege expectations, and create hidden state that affects reproducibility or privacy.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The guidance explicitly instructs agents to access environment-held API keys and use Bash/curl to call third-party APIs. In an academic orchestration skill, this extends the skill's trust boundary beyond local orchestration into credential use and outbound network actions, creating a real risk of unintended secret use and data exfiltration if invoked automatically or without clear consent controls.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are very broad (for example, 'full pipeline', 'publish paper', and generic research-to-paper language), which increases the chance this skill is invoked for ordinary assistance requests rather than an explicit request to run a 10-stage orchestration. In a skill that chains multiple delegated stages and persists state, accidental activation can cause unnecessary data processing, unintended delegation to other skills, and expanded exposure of user content.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill states that the final package will be written to disk, but it does not specify output paths, overwrite behavior, naming conventions, or whether user confirmation is required before file creation. In an orchestration skill producing multiple artifacts, unclear local write behavior can lead to accidental overwrites, unexpected file placement, or silent creation of sensitive research materials on disk.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The routing triggers use broad natural-language keywords like 'review' and 'help me check', which can cause the orchestrator to enter the wrong stage from ordinary conversation. In an agentic system that dispatches downstream skills automatically, overbroad activation can trigger unintended processing of user materials, incorrect workflow progression, or accidental disclosure to additional sub-agents.

Vague Triggers

Low
Confidence
71% confidence
Finding
The material-detection heuristics infer existing artifacts from vague phrases such as 'I already have...' or from any attachment, which can misclassify user intent and route sensitive documents into mid-pipeline handling. While not catastrophic, this increases the risk of unintended data handling and bypass of the expected user flow.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list is broad enough that ordinary phrases like "reviewer comments" or "revise and resubmit" could activate this protocol in contexts the user did not intend, especially inside a larger multi-stage orchestration skill. In an agent system, ambiguous invocation increases the chance of misrouting user input, processing unrelated files or reviewer materials, and causing unintended workflow transitions with sensitive academic content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The protocol instructs the agent to mine the full session history and include verbatim user quotes, decisions, and collaboration history in a durable report without any privacy notice, minimization rule, or consent checkpoint. That can expose sensitive personal, academic, strategic, or confidential information in exported artifacts, especially because verbatim quotes preserve details the user may not expect to be recopied and shared.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The protocol directs the creation of Markdown, LaTeX, and PDF files from collaboration history without telling the user that persistent artifacts will be written and may remain on disk or be shared later. This is dangerous because sensitive conversation data becomes durable, portable, and easier to redistribute, increasing confidentiality and retention risks beyond the live chat context.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The template explicitly documents that users can invoke the dashboard with the single word "status," which is a highly generic phrase likely to collide with many unrelated conversations or other skills. In an orchestrator skill with broad pipeline functionality, such an overbroad trigger can cause unintended invocation, context hijacking, or accidental disclosure of workflow state to users who did not intend to call this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skip phrase "just fix it for me" is broad natural language that a user may say conversationally without intending to disable the coaching step. In a multi-stage agent pipeline, ambiguous trigger phrases can cause an unintended control-flow transition, bypassing review guidance and reducing human understanding and oversight before revisions are applied.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase "just fix it" is even more collision-prone because it is short, common, and likely to appear in ordinary discussion of edits. This creates a reliable path for accidental or prompt-injected skipping of residual coaching, which weakens the verification review loop and may allow unresolved issues to proceed through the publication pipeline.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The protocol says reference text and citation context are sent to an external model, but it does not require an explicit privacy warning or user consent at the point of disclosure. Even if references seem low sensitivity, citation context and paper excerpts may contain unpublished research, proprietary material, or regulated data, so silent transmission to a third party is unsafe.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This section instructs the agent to send reviewed material to an external model for critique without requiring an explicit user warning about third-party disclosure. Reviewed material may include full drafts, confidential data, embargoed findings, or sensitive peer-review content, so external transmission materially increases confidentiality and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
In Claude Code, the agent can use the Bash tool to make API calls:

```bash
curl -s https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
curl -s https://api.openai.com/v1/chat/completions \ -H "Authorization: Bearer $OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# PROMPT must be set before calling. Use jq to JSON-escape it.
curl -s "https://generativelanguage.googleapis.com/v1beta/models/${ARS_CROSS_MODEL}:generateContent?key=$GOOGLE_AI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "contents": [{"parts": [{"text": "'"$(echo "$PROMPT" | jq -Rs .)"'"}]}],
Confidence
93% confidence
Finding
curl -s "https://generativelanguage.googleapis.com/v1beta/models/${ARS_CROSS_MODEL}:generateContent?key=$GOOGLE_AI_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
In Claude Code, the agent can use the Bash tool to make API calls:

```bash
curl -s https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
https://api.openai.com/

Session Persistence

Medium
Category
Rogue Agent
Content
## Hermes Execution

The orchestrator (main Hermes agent):
1. **Stage 1**: Clarify user intent → select modes → create Project Plan
2. **Stage 2-6**: Sequential delegate_task calls, each loading the relevant skill
3. **Stage 7-9**: Lightweight parallel or sequential based on dependencies
4. **Stage 10**: Write final package to disk
Confidence
79% confidence
Finding
create Project Plan 2. **Stage 2-6**: Sequential delegate_task calls, each loading the relevant skill 3. **Stage 7-9**: Lightweight parallel or sequential based on dependencies 4. **Stage 10**: Write

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.