Back to skill

Security audit

Peer Reviewer

Security checks across malware telemetry and agentic risk

Overview

This paper-review skill largely does what it says, but it can send manuscript content to outside services and includes unsafe shell-based helper execution that needs review before use.

Review before installing, especially for confidential or unpublished papers. Use only with provider data handling you trust, assume manuscript content and derived critique may leave your machine, keep Google credentials least-privilege and outside the repo, and avoid the serper-tool/SkillSearchAdapter path until shell execution is replaced with argument-based execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs users to run a Node.js CLI and references environment-based cloud credentials, but the skill declares no permissions. That creates a transparency and governance gap: users or orchestration systems may treat the skill as low-risk while it can access environment configuration and potentially sensitive credentials at runtime.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose frames the skill as a paper-review assistant, but the underlying behavior reportedly includes local file access, writing JSON to disk, external API calls, subprocess invocation, and use of cloud credentials. This mismatch is dangerous because it can cause users to provide sensitive manuscripts or paths without understanding that data may be persisted locally or transmitted to external services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This code launches an external CLI through shell-based execution using a command string that includes both a configurable executable path and user-influenced input (`claim`). Although quotes in `claim` are partially escaped, `exec` still invokes a shell, so shell metacharacters, platform-specific escaping edge cases, or a malicious `executablePath` can lead to command injection or unintended command execution. In the context of an academic reviewer skill, spawning arbitrary external processes is broader than necessary and increases the attack surface beyond simple paper analysis.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code executes an external local Node-based tool by passing a shell command string into SkillSearchAdapter, creating a risky trust boundary with code outside this package. If an attacker can place or modify the referenced serper-tool path, the reviewer may execute unintended code during normal operation, which is especially dangerous for a skill whose stated role is only paper review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes use of external search providers and automatic provider detection, but it does not warn users that submitted paper text or claims may be transmitted to third-party services such as OpenAI, Google, Serper, or ArXiv-related queries. In an academic review context, inputs may contain unpublished manuscripts, proprietary research, or sensitive data, so the omission can lead to unintended confidentiality and privacy exposure.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The documentation tells users to place `google.json` in the project root or set `GOOGLE_APPLICATION_CREDENTIALS`, but provides no warning about secure storage, least privilege, or avoiding accidental inclusion in source control. This increases the chance of credential leakage or unsafe handling of cloud service accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The adapter sends user-derived claim content to an external third party (ArXiv) without any visible consent, disclosure, or minimization beyond naive keyword filtering. In a paper-review context, claims may contain unpublished ideas, confidential manuscript text, or sensitive research directions, so this can cause unintended data leakage to an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The adapter sends the raw user-provided claim text to a third-party search API, which can expose unpublished research ideas, sensitive paper contents, or proprietary prompts outside the local trust boundary. In an academic paper review skill, users may submit confidential manuscripts, so external transmission without clear disclosure or consent creates a real privacy and data-governance risk even if the code is functionally correct.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Full claim text extracted from a user-supplied document is sent to an external search provider without any visible consent, disclosure, or minimization. Academic papers can contain unpublished research, proprietary methods, or sensitive data, so transmitting verbatim claims may leak confidential content to third parties and create compliance or IP risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends claims plus literature-derived context to an LLM, which means document-derived content and potentially sensitive analytical outputs are transmitted to an external model provider without explicit notice. In the context of academic peer review, this can expose unpublished ideas, reviewer analysis, or confidential manuscript content beyond the user’s expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The full document text is passed directly to an LLM for parsing with no visible disclosure that user content may leave the local environment. Because this skill processes academic papers, the content may include embargoed manuscripts, trade secrets, or personally identifiable information, making undisclosed external transmission a meaningful privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The graph and objection data encapsulate structured representations of the paper’s arguments and critique, and these are sent to the LLM without explicit disclosure. Even if the original text is transformed, the derived data can still reveal confidential research content and reviewer reasoning, creating privacy, confidentiality, and intellectual-property exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The review path sends paper content into the engine backed by external LLM/search providers, but this file provides no explicit consent flow or warning to users that submitted text may leave the local environment. For academic papers, this can expose unpublished research, proprietary content, or personal data to third-party services.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The code persists generated reports to disk without any notice in this file that output data will be retained locally. Even if the report is derived content, it may contain sensitive excerpts, model judgments, or confidential research details that users may reasonably expect to be ephemeral.

Known Vulnerable Dependency: axios==1.6.0 — 10 advisory(ies): CVE-2026-44494 (axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `co); CVE-2026-44495 (axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollut); CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF) +7 more

High
Category
Supply Chain
Confidence
91% confidence
Finding
axios==1.6.0

Known Vulnerable Dependency: zod==3.22.0 — 1 advisory(ies): CVE-2023-4316 (Zod denial of service vulnerability)

Low
Category
Supply Chain
Confidence
78% confidence
Finding
zod==3.22.0

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/adapters/openclaw_llm.ts:17

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/adapters/vertex_ai.ts:47

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
src/adapters/vertex_ai.ts:52