A research is searching around something.

Security checks across malware telemetry and agentic risk

Overview

This research skill appears purposeful, but it needs review because it sends research content to outside services and includes under-disclosed advanced web-fetching behavior.

Install only if you are comfortable sending your research topic, selected paper text, and fetched webpage content to Serper and OpenRouter. Use limited-scope API keys, prefer a virtual environment and a user-local install path, avoid confidential or proprietary research topics, and clear the /tmp/owl_papers cache after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares required environment variables and executable dependencies, but the metadata does not explicitly declare the effective permissions implied by its behavior: network access, local file read/write, shell execution, and environment access. That weakens policy enforcement and user understanding, making it easier for a seemingly simple research skill to run with broader capabilities than expected.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior presents a constrained 6-step research workflow, but the finding indicates the implementation supports materially broader actions: OpenRouter calls, advanced scraping with browser impersonation, proxying, arbitrary HTTP methods, batch fetching, and direct page retrieval. This mismatch is dangerous because reviewers and users may authorize the skill for benign research while the code can exfiltrate data, evade detection, or perform broader network activity than the description suggests.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The module explicitly advertises stealth headers, browser fingerprint impersonation via curl_cffi, and proxy support/rotation to bypass anti-bot controls. For a research-summary skill that should only retrieve public content for summarization, these evasive capabilities materially expand abuse potential and are not necessary for normal operation.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The fetcher allows arbitrary POST requests with caller-supplied data to any URL, which enables active interaction with external services rather than passive retrieval. In the context of a read-and-summarize skill, this creates unnecessary capability for data exfiltration, form submission, or triggering side effects on third-party systems.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad enough to activate on many normal user queries such as "what is X" or "deep dive," which can cause the skill to run unexpectedly. In this skill, unexpected activation is more dangerous because execution includes external searches, PDF fetching, file caching, and third-party LLM/API calls, potentially sending user content off-platform without clear intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation describes sending queries and retrieved content to external services including arXiv, Serper, and an LLM provider, but does not clearly warn users that their prompts and fetched material may be transmitted to third parties. This creates a privacy and data-governance risk, especially if users invoke the skill with sensitive internal topics, proprietary research questions, or confidential URLs/content.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The fetcher can send arbitrary URLs, query parameters, and POST bodies directly or through proxies without any consent, disclosure, or destination restrictions. In an agent skill, this is risky because user-provided or model-generated data may be transmitted to third parties unexpectedly, including through intermediary proxy infrastructure.

Ssd 1

Medium

Confidence: 97% confidence
Finding: The summary prompt embeds large amounts of untrusted paper and web content directly into the LLM context without any instruction-hierarchy guardrails. Because this skill is explicitly a research workflow that ingests arbitrary external content, a malicious webpage or paper can inject instructions that manipulate the model's output, citations, or decision-making, potentially causing data leakage, false claims, or unsafe follow-on actions in a larger agent pipeline.

Ssd 1

Medium

Confidence: 97% confidence
Finding: The paper-selection step passes raw title/abstract/introduction text from arXiv papers to the model and asks it to choose papers, but it never instructs the model to ignore instructions embedded in the papers themselves. In a research assistant context, retrieved PDFs are attacker-controllable inputs, so prompt injection can bias paper selection, fabricate reasons, or steer later stages of the pipeline toward malicious sources.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal