Data Source Verification

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only research workflow skill whose PDF downloads and local citation files match its stated source-verification purpose.

Install this only for projects where you want an agent to organize research sources locally. Use it in the intended project directory, approve DOI or URL downloads, treat downloaded PDFs as untrusted external documents, and review generated CITATION.md files before relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README advertises an `add <DOI or URL>` command that downloads PDFs and creates local files, but it does not clearly warn users that invoking the skill may perform network access and write to disk. In an agent setting, this can lead to unexpected external requests, retrieval of attacker-controlled content, or unintended file creation from untrusted input, especially if DOI/URL values are supplied indirectly by prompts or tool chains.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal