Security audit

Search Pubmed

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PubMed/NCBI search helper with disclosed network use, though users should treat search terms and optional credentials as data sent to NCBI.

Install only if you are comfortable with biomedical search terms, PMIDs, and any optional NCBI email/API key being sent to NCBI. Avoid using sensitive patient, proprietary, or confidential project details in queries, and invoke it when you actually want a literature or NCBI database search.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation clearly instructs the agent to run a Python script that performs outbound requests to NCBI, but no declared permissions are shown to make that network use explicit. Undeclared network capability is dangerous because it can cause data exfiltration of user queries, optional email values, or API keys without clear consent and weakens policy enforcement around external communications.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The manifest frames the skill as a PubMed search tool, but the body expands its use to other NCBI databases such as nucleotide and PMC. This scope mismatch is risky because users and policy systems may authorize the skill for one narrow purpose while the implementation enables broader data access and different query destinations.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list is extremely broad, covering generic biology, disease, gene, protein, drug, and organism-related language, which can cause the skill to activate in many contexts where the user did not intend an external PubMed/NCBI search. Overbroad invocation increases the chance of unnecessary external requests and inadvertent disclosure of sensitive research interests or biomedical topics.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation omits a warning that searches transmit query contents to NCBI and may also send optional contact email and API key values. This lack of transparency is dangerous in biomedical contexts because queries may contain sensitive disease, drug, gene, or project information, and users may unknowingly expose credentials or identifying metadata to a third party.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script sends user-provided search terms, PMID values, and optional email/API key context to NCBI over the network without any explicit disclosure or consent prompt. In an agent setting, users may not realize their biomedical queries or identifiers are being transmitted to a third party, which can expose sensitive research interests, health-related topics, or operational metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal