ClawHub

Pubmed Edirect

Security checks across malware telemetry and agentic risk

Overview

This skill transparently helps users run NCBI EDirect for PubMed searches, with elevated manual-install risks clearly disclosed.

Install this only if you are comfortable reviewing and running command-line tools. Download EDirect from the official NCBI source, avoid running as root, protect any API key or email saved in shell configuration, and run examples in a dedicated workspace because they contact NCBI and can create or overwrite local output files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs users to download and run an external installer script from the network and later use network-capable EDirect binaries, but it does not declare corresponding permissions/capabilities in a machine-readable way. This creates a transparency and policy-enforcement gap: an agent or platform may underestimate the skill's ability to access the network and execute externally sourced tooling.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
The documentation explicitly recommends filtering PubMed results to English-language articles only, without presenting it as optional or explaining when that limitation is appropriate. In a literature-search skill, this can bias evidence retrieval, exclude relevant non-English studies, and lead users to incomplete or skewed conclusions, especially for reviews or evidence synthesis.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal