Security audit

PubMed Search

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PubMed search tool that contacts public NCBI/PMC services for literature retrieval and shows no evidence of hidden credential, persistence, or destructive behavior.

Before installing, understand that searches and PMIDs will be sent to public NCBI/PMC services. The skill does not require an API key and does not appear to store data locally, but its metadata should ideally declare its network access explicitly.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly performs outbound network access to NCBI and PMC endpoints, but the manifest does not declare any corresponding permission or capability beyond requiring the Node binary. This creates a transparency and policy-enforcement gap: users or hosting platforms may believe the skill is lower risk than it is, and undeclared network access can enable unexpected data exfiltration, unreviewed external communications, or bypass of permission controls.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal