scholar-report

Security checks across malware telemetry and agentic risk

Overview

This research-report skill does what it says, but it automatically sends queries to a third-party API and includes a shared built-in bearer token.

Review before installing. Use this only for research topics you are comfortable sending to scholar.x49.ai, prefer setting your own SCHOLAR_API_KEY, and avoid confidential or unpublished research unless you understand the service's data handling. Save downloaded reports only when you want that content persisted in the workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends user research queries and related filters to an external service but does not clearly warn the user up front about that data transfer. This creates a privacy and consent risk, especially if users include sensitive, proprietary, or regulated research topics assuming processing is local.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill embeds a reusable bearer token directly in the instructions and encourages fallback to it when no environment key is set. Hardcoded secrets are inherently unsafe because they can be copied, abused outside intended controls, exhaust shared quota, and normalize insecure secret-handling patterns for downstream users and agents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal