Back to skill

Security audit

Literature Reviewer Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed literature-review automation skill, but users should run it in an isolated browser because it can use logged-in academic sessions and download papers.

Install only if you are comfortable with browser automation visiting academic sites using your current login state. Prefer Docker or a dedicated browser profile, avoid sensitive logged-in accounts, review database terms before downloading PDFs, and clear the sessions/output directories when the research data should not be retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The document includes automation for journal-metric lookup and especially PDF batch downloading, which exceeds the stated literature-review function of collecting citation metadata and abstracts. This expands the skill into automated access and acquisition of content, increasing the chance of misuse, account abuse, terms-of-service violations, and unintended downloading of copyrighted material.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The bulk PDF download section documents a capability that is unnecessary for generating a literature review and can be directly repurposed for mass acquisition of papers. Even if intended as convenience guidance, it materially enables automated downloading at scale, which can consume credentials, trigger anti-bot controls, and facilitate copyright or access-policy abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly performs browser-based searches against external academic sites and writes research data to local session files, but the documentation does not warn users that their queries and retrieved metadata will be sent to third-party services and stored on disk. This creates a privacy and data-handling risk, especially when research topics are sensitive, proprietary, or personally identifying.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises very broad natural-language triggers such as '帮我找文献' and '写综述', which can overlap with ordinary user requests and cause the skill to activate unexpectedly. In this skill, unexpected activation is more sensitive than usual because the documented behavior includes browser automation, network access to third-party sites, and writing session/output files, so an accidental trigger can launch higher-privilege actions than the user intended.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill plans to use browser automation to collect literature metadata and abstracts and save them into local session files, but it does not clearly warn users about this collection and storage behavior. That creates a transparency and privacy risk, especially when research topics, search strategies, URLs, and retrieved content may reveal sensitive academic, medical, or commercial interests.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad natural-language phrases such as '帮我找文献', '写综述', 'literature survey', and 'systematic review', which can match ordinary requests without sufficient scoping or confirmation. In a skill with browser automation and access to authenticated academic sites, over-broad auto-triggering can cause unintended web activity, use of user session cookies, and unnecessary access to external services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The sample code actively opens result links and clicks download controls in a loop, but the documentation does not clearly warn about downstream effects such as triggering downloads to the local system, consuming institutional/account entitlements, or causing anti-abuse lockouts. That omission makes unsafe execution more likely in practice, especially in an automated agent context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
mcp.json:135