Back to skill

Security audit

academic-pipeline-suite

Security checks across malware telemetry and agentic risk

Overview

This is a real academic workflow suite, but it needs Review because it bundles overbroad live-browser automation, unconfirmed skill overwrites, and AI-detection-removal guidance.

Install only if you are comfortable with a large academic-writing suite that can overwrite existing local skills and, for some searches, control your logged-in Chrome session. Review the install script first, back up existing skills, avoid enabling Chrome remote debugging on your everyday profile, stop the CDP proxy when done, and do not use the humanizer components to conceal AI assistance where disclosure is required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (73)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises shell-based installation and local filesystem interaction, but the metadata does not declare permissions for shell or environment access. That mismatch weakens user consent and platform enforcement because consumers may believe the skill is documentation-only while it instructs actions that modify the local skills directory and inspect the environment.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation claims the suite is fully offline and requires no network download, but later states that network/API access is needed for academic database queries. Contradictory trust signals can mislead users about when data leaves the machine, which is especially risky for unpublished academic work, API keys, and potentially sensitive drafts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill first claims its writing-quality rules are 'not detection evasion,' but later explicitly frames guidance around avoiding 'instant AI detection' signals such as overused terms and em dashes. That contradiction creates a practical pathway for AI-output laundering: users can use the skill to rewrite text specifically to reduce detectability by reviewers, instructors, or publishers.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill is presented as a citation-format compliance agent, but it expands into plagiarism detection and external retraction screening, which are materially different functions with higher-risk judgment calls and external dependency use. This scope creep can cause unauthorized content evaluation, false accusations, or unintended network lookups beyond user expectations for a formatting task.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The instructions require the agent to determine whether cited claims are accurately represented and to flag potential fabrication, which is a substantive scholarly-integrity adjudication rather than citation compliance. In an automated pipeline, this can lead to unsupported accusations, workflow interruption, or unsafe edits based on weak model inference about source meaning.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guide defines 'revision mode' earlier, but the trigger mapping later routes reviewer-comment requests to an undefined 'revision-coach' mode. This inconsistency can cause the intake agent or downstream orchestration to select a nonexistent path, fail open, or misroute user data and actions, which is a genuine integrity and reliability issue in agent behavior.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Error Recovery table says that if Stage 2.5 still fails after 3 correction rounds, 'user decides whether to continue,' which conflicts with multiple earlier IRON RULES stating integrity checks are mandatory and blocking. In an orchestrator, contradictory control-flow guidance is dangerous because implementations or downstream agents may follow the weaker recovery path and allow progression with unverifiable citations, fabricated claims, or failed integrity checks.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The agent's stated role is reference, citation, and data verification, but this section expands into plagiarism and originality detection. That scope expansion can cause the agent to make high-stakes academic misconduct judgments using weak heuristics like web search sampling, creating a risk of false accusations, policy overreach, and user harm beyond the declared task.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This section adds end-to-end factual claim-truthfulness verification, which goes beyond verifying whether citations and data are correctly referenced. In practice, that broadens the agent into adjudicating substantive truth claims and source interpretation, increasing the chance of unsupported refusals, incorrect contradiction flags, and overconfident decisions in ambiguous or paywalled contexts.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file claims the agent 'only' performs factual verification of references, citations, and data, but later instructs it to perform originality and plagiarism judgments. This internal contradiction is dangerous because users and downstream systems may rely on the narrower description while the agent actually performs broader, more sensitive adjudications without clear authorization or safeguards.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The exception flow explicitly allows the user to continue to the next stage with a "partially unverified" warning after more than 3 failed integrity-check rounds, which contradicts earlier rules stating Stage 2.5 and 4.5 are mandatory and cannot be skipped. In an academic-writing pipeline, this undermines the core integrity gate and can enable unverified or fabricated citations to propagate into review and finalization stages.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to actively update local reference files based on browsing outcomes, which expands its behavior from paper search into persistent local file modification. That creates an unnecessary integrity risk: compromised pages, bad extraction, or prompt-injection-like content from websites could be written into trusted local guidance files and influence future runs.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly advertises browser-level real mouse clicks that can 'trigger file dialogs' and 'bypass some anti-automation detection.' In an academic search skill, this meaningfully expands capability from passive research into stealthier interactive automation, which can be misused to evade site controls and perform actions a user may not expect.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`setFiles` allows automated assignment of arbitrary local file paths to browser file inputs, enabling the skill to upload local files to remote sites without an interactive chooser. For an academic-search component, this is over-privileged and creates a clear path to unintended disclosure of sensitive local documents, keys, notes, or datasets.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file explicitly instructs use of CDP-driven browser automation against Google Scholar to 'simulate real user behavior' using a real logged-in Chrome profile and to avoid other access methods because of anti-bot controls. That guidance is effectively anti-detection/evasion advice and can cause the agent to leverage a user's authenticated browser state to access and scrape a service in ways that may violate terms, trigger account/IP sanctions, or expose session-bound data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This proxy exposes a broad local HTTP API that can enumerate tabs, create and close targets, navigate pages, execute page JavaScript, click elements, upload files, scroll, and write screenshots to disk through the user's live Chrome debugging session. For a skill presented as academic search, that scope is unjustified and turns the user's normal browser into a general-purpose automation surface that can access authenticated sessions and sensitive content.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The /eval endpoint accepts arbitrary request body content and passes it directly to Runtime.evaluate in the user's attached Chrome target. Any local process that can reach this service can run script in pages the user is logged into, enabling theft of page data, DOM manipulation, unintended actions, and abuse of active authenticated sessions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The /setFiles endpoint allows callers to supply arbitrary filesystem paths that are then injected into file input elements via DOM.setFileInputFiles. This can be abused to exfiltrate local documents to remote websites through the browser, especially dangerous because it operates in the user's real browsing context and authenticated sessions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The /screenshot endpoint can write captured browser content to any filesystem path provided by the caller via q.file. This permits arbitrary local file creation or overwrite within the user's permissions and can persist sensitive page content from authenticated browser sessions to disk without meaningful safeguards.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header describes the proxy as a way to access academic platforms, but the implementation actually grants broad control over the user's everyday Chrome via remote debugging. That mismatch is security-relevant because it understates the true capability and risk, increasing the chance that users enable highly privileged browser access without informed consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README encourages one-click installation and direct execution of an install script in the local skills workspace without clearly disclosing that it will install multiple dependent skills and modify the user's environment. This increases supply-chain and user-consent risk because users may run the command without understanding the scope of changes or reviewing what the script does.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The release notes instruct users to run install.sh directly and describe it as automatically installing 8 dependency skills, but do not warn that this will modify the local environment and pull multiple packages. In a meta-skill context, encouraging one-click installation without clearly disclosing scope and requiring review increases supply-chain and unintended-installation risk, especially because users may trust the top-level package without separately vetting dependencies.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The troubleshooting guidance recommends using --force to resolve version conflicts without warning that this may overwrite or upgrade existing dependencies. In a package that orchestrates installation of 9 skills, force-install guidance can lead users to replace trusted components with newer or different versions, increasing the chance of dependency confusion, environment breakage, or silent introduction of risky packages.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill promotes running install and reinstall shell commands without warning that they will write into the user's local OpenClaw skills directory. While common for package installation, undocumented local modification reduces informed consent and can lead to accidental overwrites or persistence of unreviewed dependencies.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The README references external academic database APIs and API key configuration but does not warn users that queries, drafts, citations, and other research content may be sent to third parties. In an academic workflow, this can expose unpublished ideas, manuscript text, or institutional credentials.

VirusTotal

5/65 vendors flagged this skill as malicious, and 60/65 flagged it as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
skills/ima-skills/ima_api.cjs:31

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/ima-skills/knowledge-base/scripts/cos-upload.cjs:96