Security audit

open-skills

Security checks across malware telemetry and agentic risk

Overview

This is a real skill installer, but it can change agent/editor configuration broadly and clean up files without enough per-action safeguards.

Install only if you are comfortable with a CLI that can fetch third-party skills and modify global or project-level agent/editor configuration. Prefer local scope first, review the selected skills and target directories, back up existing rule/skill directories, and avoid running update/sync/import on directories that contain manually maintained files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill’s stated purpose is research/report generation, but it also instructs the agent to create local directories, write files in user and internal locations, and open generated artifacts automatically. Those side effects expand the skill’s authority beyond what is necessary for answering a research query and can surprise users or be abused for unwanted local-state changes.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill delegates work to auxiliary agents and another skill for continuation and PDF generation, even though its advertised function is verified research. This increases the execution surface and can propagate permissions, context, or file access to additional components without clear user awareness or tight scoping.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Automatically opening HTML and PDF files in local applications is not required to perform research and creates an unnecessary side effect on the user’s system. Even if the files are benign, auto-launching applications can be intrusive, leak information through local handlers, or normalize unsafe agent behavior.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Recursive continuation-agent spawning is not an obvious requirement for research and introduces a potentially unbounded chain of delegated execution. That can amplify mistakes, consume resources, and make the agent’s behavior harder to audit or interrupt.

Intent-Code Divergence

High

Confidence: 93% confidence
Finding: The skill claims its scripts are offline and stdlib-only, yet earlier instructions rely on DOI resolution, browser opening, and delegated PDF generation. This mismatch can mislead reviewers and users about the true capabilities and trust boundary of the skill, causing them to authorize behavior they would not otherwise accept.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill promises automatic download, conversion, and output across multiple editors after confirmation, but it does not explain what files are modified, where content is installed, what sources are fetched, or how synchronization may overwrite existing configuration. In a tool that performs network retrieval and cross-editor writes, this lack of transparency increases the chance of unintended system changes or supply-chain style abuse through untrusted skill sources.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly states that the skill will generate a report and save it to a predetermined path under ~/.claude/research_output/ without describing any user warning, confirmation, or opt-out. Automatic disk writes are risky because they can persist sensitive research topics, overwrite expected files, or leave artifacts on shared systems, and the autonomy-first framing increases the chance this occurs silently.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The file describes broad web searches and parallel agent spawning as part of normal execution, but does not mention any privacy boundary, data minimization, or warning that user-provided research topics may be transmitted to external services. In an autonomous skill, this is dangerous because potentially sensitive prompts, proprietary topics, or regulated data could be sent externally without informed consent.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The invocation examples are extremely broad natural-language phrases like 'Use deep research...' and 'Deep research: ...', which can overlap with ordinary user requests and cause the skill to trigger unexpectedly. In a skill that advertises local file integration and code execution, ambiguous trigger boundaries increase the chance of unintended access, execution, or data processing when the user did not clearly consent to those actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation states that the skill can search the local codebase/docs and execute code, but it provides no warning about the security, privacy, or system impact of those capabilities. In context, this is more dangerous because the same document encourages easy natural-language activation, so users may invoke powerful behaviors without realizing the skill may inspect local files or run commands.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The guide documents that all research is saved under ~/.claude/research_output/ with timestamped filenames, but it does not clearly warn users that their prompts, findings, and potentially sensitive derived content will be written to disk. This can create privacy and data-handling risks, especially on shared systems or when research includes confidential local context.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manifest uses broad trigger phrases such as comprehensive analysis and compare X vs Y, which can cause the skill to activate for many ordinary requests. Over-broad invocation increases the chance that intrusive behaviors like file creation or subagent spawning occur in contexts where the user did not intend them.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill mandates automatic file creation in ~/Documents and ~/.claude without prior warning or approval. Writing persistent data to user and internal directories without consent is dangerous because it changes local state, may expose sensitive query topics in filenames, and can leave artifacts the user did not expect.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill requires automatically opening generated HTML and PDF files without a user consent step. This is an unnecessary local action that can disrupt the user, trigger external handlers, and bypass the principle of least surprise.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions direct shell-command execution for mkdir, validation, conversion, and opening files without clear disclosure or confirmation. Shell and subprocess-like operations materially increase risk because they can modify the filesystem and execute system-level actions beyond simple research synthesis.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The document explicitly promotes replacing uncertainty-aware phrasing with stronger autonomous language such as assertions, imperatives, and expectations. In a deep-research skill, this can bias the agent away from asking clarifying questions, disclosing uncertainty, or deferring when evidence is incomplete, which increases the chance of overconfident or unauthorized actions. The surrounding context makes this more dangerous because the file is not merely descriptive; it frames these changes as a systematic improvement to operational behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends user-supplied citation data, including DOIs and URLs extracted from the report, to external services such as doi.org and arbitrary referenced hosts without making that data flow clearly visible in the CLI help or requiring explicit opt-in. This can leak sensitive report contents, internal URLs, or research targets during verification, which is a real privacy and data-handling risk even though the networking is part of the intended functionality.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The PRD explicitly describes automatic remote download via git/curl and local installation/copy into user skill directories, but does not require a clear consent step or warning about network access, repository trust, and filesystem modification. In a tool whose purpose is to fetch and install third-party skills, this omission increases the risk of users unintentionally importing untrusted content into privileged/global agent directories.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The PRD explicitly describes automatic output to editor config locations plus cleanup, partial overwrite, and mirror-sync behaviors, but it does not pair those actions with strong safety controls such as explicit destructive-operation warnings, dry-run previews, scoped deletion boundaries, backups, or confirmation before modifying existing files. In a tool that writes to global and local editor rule files, this can lead to accidental corruption or loss of user configuration and makes unsafe automation more likely if later implemented as specified.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The recursive cleanup section states that the tool will scan output directories, compare expected files, and delete extra files and empty directories, but it does not define guardrails to prevent deletion of user-created content or misresolved paths. Because this project targets configuration directories under home and workspace paths, an implementation following this PRD could cause destructive data loss from path mistakes, registry errors, or unsafe assumptions about ownership.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal