Literature Search Pro

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does academic paper search as advertised, but a crafted search input could make it run unintended local shell commands.

Install only if you trust the search inputs passed to this skill and understand that queries are sent to third-party academic services and cached locally. The safest fix is to replace exec with spawn or execFile using argument arrays, add strict validation for numeric and source fields, and add clear cache disclosure and controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code builds a shell command string from user-controlled fields such as query, limit, yearMin, and sources, then executes it with exec(). Wrapping query in double quotes is not sufficient to prevent shell metacharacter injection, so an attacker may be able to break out of the intended arguments and execute arbitrary commands in the host environment.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code sends user-supplied queries to third-party APIs and stores both queries and returned results on local disk, but it provides no explicit notice, consent flow, or control over persistence beyond a refresh flag. This is a real privacy and data-handling issue because search terms may contain sensitive research topics, proprietary terms, or personal data, and cached results remain readable locally.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal