Back to skill

Security audit

Literature Reviewer Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent literature-review tool, but it needs user review because it can automate third-party database browsing, persist research data locally, and includes bulk PDF download guidance that may conflict with access limits or licensing terms.

Install only if you are comfortable with automated searches against academic databases and local storage of your research topics, search results, metadata, analyses, and possibly PDFs. Before using it with paid, institutional, or logged-in databases, confirm that automated searching and downloading are allowed by your license and site terms. Prefer using it for metadata collection unless you add explicit confirmation, storage-location, cleanup, and download controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide includes automation for batch PDF downloading and explicitly suggests strategies to avoid triggering platform limits. That goes beyond metadata retrieval for literature review and can facilitate unauthorized bulk acquisition of copyrighted content or violation of site terms, increasing legal, compliance, and abuse risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly advertises browser automation against external academic databases and creation of local session/output files, but it does not warn users that the skill will initiate network activity and persist potentially sensitive research topics and retrieved metadata to disk. In a skill ecosystem triggered by natural language, this omission can lead to surprising outbound access and local data retention, which is a real security/privacy concern even if not overtly malicious.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases and usage examples are broad, ordinary requests such as '帮我找文献' or '写综述', which can overlap with routine conversation and cause the skill to activate unexpectedly. Because this skill can browse external sites and generate local artifacts, ambiguous activation increases the chance of unintended network operations and data handling without clear user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough that normal user requests like '帮我找文献' or '写综述' could activate a workflow that performs browser automation, external site access, and local file creation without the user fully understanding the side effects. In this skill, the risk is higher because activation can lead to multi-step automation across third-party databases and persistent artifact generation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Repeating broad trigger keywords without boundaries increases the chance of unintended activation, especially in multilingual, everyday academic-assistance contexts. Because this skill can launch automated searches and create session/output directories, accidental invocation has meaningful privacy and consent implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow creates multiple local session and output files, but the user-facing description does not clearly warn that persistent artifacts will be written. This is dangerous because users may disclose sensitive research topics or internal project names that are then stored locally without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documents browser automation against external literature databases and collection of metadata and abstracts, but it lacks a clear privacy and network-access warning. This matters because user-provided topics may be sensitive, and automated access can disclose research interests to third-party services and create externally observable browsing activity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly persists session logs, checkpoints, search results, verified paper metadata, PDFs, and output files under a local sessions/ directory, but the description does not clearly warn users about this storage behavior. This can expose sensitive research topics, queries, downloaded content, and metadata on shared or unmanaged systems, especially because the skill is designed for automated literature collection over multiple phases.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The orchestrator sends user queries and paper metadata to multiple external services and databases such as CNKI, Semantic Scholar, PubMed, Crossref, OpenAlex, Unpaywall, and arXiv, yet there is no explicit privacy warning or consent step. In a literature-review skill, user queries may reveal confidential research interests, unpublished topics, or institutional priorities, so undisclosed third-party transmission creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The batch-download section provides operational guidance for downloading up to 50 papers and includes evasion-style recommendations such as spacing requests to avoid restrictions. In the context of a browser-automation skill, that materially increases misuse potential by normalizing automated access to protected resources without adequate compliance or risk warnings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.