Research Library

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local research-library CLI, but users should understand it can index private files and metadata, optionally fetch URLs, and persist backups locally.

Install only if you are comfortable with a local CLI that copies imported files into its own library, indexes extracted text and metadata, and stores backups locally. Avoid importing sensitive images unless you are comfortable with GPS/EXIF fields becoming searchable, prefer HTTPS URLs over FTP, and make a fresh backup before using restore or --force.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises installation and usage that imply filesystem access, shell execution, background processing, and likely network retrieval, but it does not declare permissions or clearly scope those capabilities. Hidden or undeclared capabilities reduce informed consent and make it easier for users or orchestrators to run the skill with broader access than expected.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description frames the skill as local-first research storage, but the documented and analyzed behavior includes remote file downloads, export functions, restore operations, worker subsystems, and additional schema/search capabilities not disclosed in the summary. This mismatch is security-relevant because users may grant trust to a seemingly local-only tool while it can reach networks, modify data state, and expose content through export paths.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The add command accepts arbitrary URLs and fetches them with urllib.request.urlretrieve, which introduces unbounded outbound network access into a tool described as local-first. This can enable unexpected data egress, retrieval from attacker-controlled hosts, and use of the CLI in environments where network access should be prohibited or tightly controlled.

Context-Inappropriate Capability

Low

Confidence: 85% confidence
Finding: The URL validator explicitly permits ftp in addition to http/https, expanding the attack surface to an older, weaker protocol that is unnecessary for a local-first research library. FTP lacks modern transport protections by default and increases the risk of insecure downloads or interaction with untrusted infrastructure.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Documenting backup and restore without warning that restore can overwrite, roll back, or replace current local research data creates a real integrity risk. Users may invoke restore expecting a safe preview operation and unintentionally destroy newer work or reintroduce stale state.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The restore documentation omits a prominent warning that restoring from backup can overwrite the current database state and discard newer data. In a local-first research library handling project documents and metadata, this can lead to destructive data loss if a user or automation runs restore with incomplete understanding, especially together with `--force`.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The guide explicitly states that EXIF data including GPS and PDF metadata such as author and creation date are extracted, but it does not warn that these fields can contain sensitive personal, location, or organizational information. In a local-first research library that ingests diverse project files, silent indexing or display of this metadata can expose user locations, identities, or project history through search, backups, exports, or cross-project references.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The image extractor automatically reads EXIF and injects it into both metadata and extracted searchable text, including fields like GPSInfo, CameraOwnerName, serial numbers, and author/comment tags. In a research-library context that indexes and cross-references local project assets, this can silently expose sensitive location, device, or personal information to search, downstream consumers, backups, or exports without user awareness or consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The timeout mechanism only stops waiting on the helper thread; it does not stop the extraction itself. A timed-out parser can continue reading and processing document contents in the background, consuming CPU/memory and potentially persisting access to sensitive local files after the system has reported failure, which is especially risky in a local-first research library handling private project documents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal