Back to skill

Security audit

ResearchVault

Security checks across malware telemetry and agentic risk

Overview

ResearchVault is a coherent local research tool with disclosed optional network, portal, MCP, and watchdog features, but users should keep the portal local and be careful with private-network fetching and external search.

Install only if you want a local research database and are comfortable with optional web search and ingestion. Keep the portal bound to localhost, protect the portal token, avoid enabling private-network fetches unless you intentionally need them, and remember that Brave/other search queries may leave your machine when configured and invoked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no permissions even though the manifest describes substantial capabilities including environment-variable access, filesystem read/write, network access, shell execution, and optional MCP/background services. This undermines least-privilege review and can cause users or hosting platforms to trust and invoke a skill with broader access than is explicitly disclosed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The top-level description presents the skill as a local-first research engine, but the manifest text also exposes a much broader attack surface: authenticated web portal, subprocess-driven CLI actions, external web ingestion, DB inspection/selection, exports, diagnostics, and secret/status handling. This mismatch can mislead users and reviewers about the true security boundary, increasing the risk of unsafe deployment or over-trust of a service with network, shell, and data-management functionality.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The /system/diagnostics endpoint returns process metadata, selected environment variable values, allowed DB roots, CLI stderr, and provider configuration details. Even though the router is session-protected, this materially increases information disclosure to any authenticated user and can aid lateral movement, path discovery, and targeted abuse of local integrations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Developer Mode exposes powerful state-changing operations such as manual event logging, watch creation, watchdog execution, and especially cache injection via `/vault/search` with `set_result`. In a research portal, these low-level mutation paths can let a user fabricate or tamper with research state and verification data, weakening integrity guarantees and expanding the attack surface beyond the stated orchestration purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The web ingest flow offers an `allow_private_networks` option and labels it as SSRF risk, meaning the UI can instruct the backend to fetch URLs on private or internal networks. If an authenticated user or attacker with portal access can use this, it can turn the backend into a proxy for accessing internal services, cloud metadata endpoints, or other non-public resources.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill is described as local-first, but this code performs live outbound searches to Brave. That mismatch can cause users or downstream agents to provide sensitive research terms under the assumption data stays local, creating an unexpected privacy and trust boundary violation.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Reading BRAVE_API_KEY from the environment is not inherently unsafe, but in a supposedly local-first skill it introduces an undeclared remote-service dependency and expands the secret-handling surface. This becomes more concerning because the capability enables transmission of user queries to a third party without obvious local-only safeguards.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Verification missions automatically execute external searches based on stored findings, which can turn internal or sensitive project content into outbound search queries without an interactive approval step. In a local-first research tool, autonomous background network activity materially increases privacy risk and can leak investigation topics, proprietary names, or other sensitive context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The diagnostics response discloses sensitive configuration and operational data, including RESEARCHVAULT_DB, allowed DB roots, search-provider settings, PID/platform details, and backend/CLI error output, without any apparent role-based restriction beyond a generic session requirement. That creates an unnecessary reconnaissance surface and may expose local paths, service topology, and debugging details useful to an attacker or over-privileged user.

Missing User Warnings

High
Confidence
97% confidence
Finding
The /scuttle endpoint allows authenticated users to trigger outbound fetches to arbitrary URLs and optionally enables private-network access via --allow-private-networks. That creates a clear SSRF primitive against internal services and cloud metadata endpoints if the underlying scuttle command performs HTTP requests on behalf of the server.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Search queries are sent to Brave without any user-facing warning in this file, so potentially sensitive research prompts may be disclosed to a third party unexpectedly. The danger is amplified by the product description suggesting local-first behavior, which lowers user suspicion about outbound disclosure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The watchdog performs background Brave searches and persists the query results into project insights/events without any user-facing notice, confirmation, or visible consent check in this code path. Because search queries and returned snippets may contain sensitive research topics, this can unintentionally disclose project intent or confidential terms to external services and create a privacy leak during unattended operation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal