Security audit

Literature Search Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it includes and uses a bundled Tavily API key, which users should review before installing.

Install only if you are comfortable sending literature-search queries to Tavily and having Markdown reports written in the working directory. Prefer removing the bundled Tavily key, rotating/revoking it if you own it, and requiring users to provide their own TAVILY_API_KEY through a proper secret mechanism.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises external API use, local report generation, and content acquisition via web_fetch, but it does not declare permissions for network, environment variable access, or file writing. Missing permission declarations weaken review and sandboxing controls, making it easier for hidden or expanded behavior to go unnoticed. In a workflow that queries remote services and saves results locally, this increases the chance of unauthorized data access or writes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: A hardcoded default Tavily API key is a real security issue because embedded secrets can be extracted by any user with access to the skill and then abused, leading to quota theft, billing exposure, or unauthorized API use. The undocumented file-writing behavior is also significant because it expands the skill's behavior beyond its declared purpose, reducing transparency and increasing risk of unexpected local data persistence or overwrite.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger keywords include broad generic phrases such as '论文搜索', '查找文献', 'search literature', and 'find papers', which can match many normal research-related requests beyond the intended scoped workflow. In an agent environment, overly broad triggers can cause the skill to activate unexpectedly, hijack routing from more appropriate skills, or process queries with unintended tools and assumptions.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The script embeds a default Tavily API key directly in source and uses it for outbound requests. Hardcoded credentials are easily leaked through source distribution, logs, repositories, or downstream reuse, enabling unauthorized API consumption, quota abuse, and possible billing exposure.

Ssd 3

Medium

Confidence: 92% confidence
Finding: A hardcoded API key in the source creates a real secret-exposure risk even if this file does not explicitly print it. Once embedded in code, the credential may be disclosed via repository access, packaging, debugging, stack traces, or copy/paste into other outputs, and the skill context increases danger because the script is designed for repeated external requests using that key.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.