ClawHub

PubMed Search

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it claims, but it can expose a configured PubMed API key in command output or logs.

Use this only if you are comfortable with PubMed/NCBI network requests and local result or PDF files. Prefer pip or conda installation over the curl-to-shell uv installer. If you set PUBMED_API_KEY, treat command output and logs as sensitive or patch the tool to redact api_key before printing URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises capabilities that use environment variables, network access, and local file writes, but it does not declare permissions or otherwise clearly bound those capabilities. This creates a transparency and least-privilege problem: users or hosts may grant broader trust than intended, while the skill can download content and write outputs locally without explicit disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The stated description focuses on searching and analyzing PubMed literature, but the documented behavior also downloads PDFs/full text and writes results and analysis files locally. That mismatch can cause operators to underestimate the skill's data-handling and filesystem effects, increasing the chance of unsafe deployment or misuse.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# Install uv (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Create virtual environment and install dependencies
cd ~/.claude/skills/pubmed-search-skill
Confidence
91% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

External Script Fetching

Low
Category
Supply Chain
Content
**Method 1: Using uv (Recommended - Fastest)**
   ```bash
   # Install uv
   curl -LsSf https://astral.sh/uv/install.sh | sh

   # Create virtual environment and install dependencies
   cd /path/to/pubmed-search-skill
Confidence
95% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# Install uv (if not already installed)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Create virtual environment and install dependencies
cd ~/.claude/skills/pubmed-search-skill
Confidence
95% confidence
Finding
| sh

Chaining Abuse

High
Category
Tool Misuse
Content
**Method 1: Using uv (Recommended - Fastest)**
   ```bash
   # Install uv
   curl -LsSf https://astral.sh/uv/install.sh | sh

   # Create virtual environment and install dependencies
   cd /path/to/pubmed-search-skill
Confidence
97% confidence
Finding
| sh

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal