Back to skill

Security audit

Biomedical Reference Verifier

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned biomedical reference checker, but users should know it can send citation identifiers or titles to scholarly metadata services and create local audit files.

Install only if you are comfortable sending reference identifiers and sometimes short citation titles to Crossref, PubMed, and OpenAlex. Use format-only mode for offline formatting, avoid full manuscript/body cleanup unless you explicitly want it, and keep process JSON or indexes when you need an audit trail.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions, yet its instructions clearly require shell execution, reading and writing files, accessing environment variables, and making network requests to external services such as Crossref, PubMed, and OpenAlex. This mismatch weakens policy enforcement and reviewability: a host may grant broader capabilities implicitly or operators may not realize the skill can exfiltrate local reference content or API keys over the network.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The policy explicitly instructs the skill to scan manuscript body text, compare narrative/parenthetical citations to bibliography entries, and flag or remove body claims that depend on fabricated references. That exceeds the declared skill scope of reference existence/metadata verification and moves into evaluating citation support and manuscript claims, which can cause the agent to process and reason over broader manuscript content than necessary. In this context, the issue is primarily scope creep and unnecessary access to sensitive text rather than direct code execution.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The `semantic_hallucination` error type defines behavior for judging whether a surrounding claim or summary is supported by a paper, which is outside the stated scope of verifying reference authenticity, metadata, and formatting. This broadens the skill into claim verification, increasing the chance the agent will inspect manuscript assertions and make substantive judgments beyond least-privilege needs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool sends user-derived titles/DOIs and the configured email address to Crossref/OpenAlex/PubMed without any in-code consent gate or prominent runtime disclosure before transmission. In a biomedical context, references may be unpublished manuscripts, grant materials, or otherwise sensitive metadata, so silent third-party transmission creates a privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script writes multiple derived files and can delete generated process files based on command-line options, but it does not require a confirmation step before destructive cleanup. This can unexpectedly remove artifacts needed for auditability or user review, especially when operating on research-reference workflows where traceability matters.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.