Dataify Google Scholar

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Dataify Google Scholar API helper that sends confirmed search parameters to Dataify and does not show hidden persistence or unrelated access.

Install only if you are comfortable sending Google Scholar search terms and selected parameters to Dataify. Review the confirmation table before approving calls, and prefer DATAIFY_API_TOKEN over passing a token in chat or with --token.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger description uses broad phrases like "academic search/paper search" and activates on merely mentioning the academic search field, which can cause the skill to fire in contexts the user did not clearly intend. Overbroad activation increases the chance of unintended external API use, unnecessary prompt takeover, or accidental handling of sensitive queries through this skill.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script transmits user-supplied search queries and related parameters to a third-party service over the network, but the normal execution path does not provide a clear consent or disclosure prompt at send time. This can expose sensitive research topics, identifiers, or usage patterns to an external provider, which is a privacy and data-handling risk in agent environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal