Env credential access
Critical
- Finding
- Environment variable access combined with network send.
academic-pipeline-suite
Security checks across static analysis, malware telemetry, and agentic risk
Overview
I could not inspect the local artifact files because the read-only sandbox command runner failed, so there is no artifact-backed evidence to classify the skill as suspicious or malicious.
Do not rely on this as a complete security review: the local artifact files could not be read in this run, and the only negative signal available was VirusTotal telemetry.
Publisher note
Complete Academic Research & Writing Suite — One-click installation of the full Academic Pipeline ecosystem with all 8 dependencies. Includes academic-pipeline v3.5, academic-search, deep-research, academic-paper, academic-paper-reviewer, humanizer, humanizer-zh, ima-skills, and integrity_verification_agent.
Static analysis
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
VirusTotal
5/65 vendors flagged this skill as malicious, and 60/65 flagged it as clean.
Risk analysis
No visible risk-analysis findings were reported for this release.