sciverse academic retrieval

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Sciverse academic-retrieval skill that uses a declared API token to query Sciverse endpoints.

Install only if you intend to use Sciverse academic retrieval and are comfortable providing a Sciverse API token. Treat SCIVERSE_API_TOKEN as a private secret, avoid committing it or sharing logs/screenshots that contain it, and rotate it if exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The README tells users to export `SCIVERSE_API_TOKEN` but does not state that it is a sensitive secret, should not be committed to source control, and should be stored securely. This can lead to accidental token exposure through shell history, screenshots, logs, shared environment files, or copied setup snippets, enabling unauthorized use of the associated API account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal