Citation Diversifier

Security checks across malware telemetry and agentic risk

Overview

The visible citation-budget helper is mostly coherent, but the package also installs broad, under-disclosed research pipeline and workflow tooling unrelated to citation diversification.

Install only if you intentionally want the broader research pipeline bundle, not just a citation-budget helper. For normal use, prefer a trimmed version containing SKILL.md, scripts/run.py, and only the minimal shared helpers needed to read the cited inputs and write output/CITATION_BUDGET_REPORT.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: log_path = workspace / log_rel try: completed = subprocess.run(cmd, check=False, capture_output=True, text=True) if completed.stdout or completed.stderr or completed.returncode != 0: ensure_dir(log_path.parent) body = [
Confidence: 94% confidence
Finding: completed = subprocess.run(cmd, check=False, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares no explicit permissions, but its instructions and helper script usage clearly require reading multiple workspace files, writing an output report, and invoking Python from the shell. This creates a permissions/behavior mismatch that can bypass operator expectations and policy enforcement, especially in systems that rely on declared permissions for sandboxing, review, or consent.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This file is a general workflow executor that can run arbitrary skill scripts, which materially exceeds the declared citation-diversifier scope of producing citation-budget plans without introducing new facts. That mismatch is dangerous because users and higher-level policy may trust the skill as low-risk content tooling, while the implementation has broad execution capabilities that can modify workspace state and trigger arbitrary downstream behavior.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file implements a workflow runner, checkpoint manager, approval handler, reroute evaluator, and error logger rather than citation-diversification logic. This scope deception increases risk because a supposedly narrow, no-network, guardrailed content skill actually has broad control over execution flow and workspace mutations, undermining least privilege and making policy-based trust decisions unreliable.

Scope Creep

Medium

Confidence: 95% confidence
Finding: The code updates unit status, logs, and decision approval state, including auto-approving HUMAN checkpoints, which goes beyond a no-network citation-planning tool's expected authority. Even without network access, broad write and approval-mutation capability can be abused to bypass human review gates, falsify workflow state, or advance pipelines based on untrusted metadata.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file implements a full research-ideation and memo-generation pipeline that is materially unrelated to the declared citation-diversifier skill. In an agent-skill setting, this is dangerous because the skill can perform off-scope work, create unexpected outputs, and influence downstream workflow decisions under a misleading manifest, undermining least-privilege and review assumptions.

Scope Creep

Medium

Confidence: 90% confidence
Finding: The code includes generic write helpers used to create JSON, JSONL, and Markdown artifacts, which enables the skill to emit multiple files beyond the citation-planning behavior described in the manifest. In context, this is risky because hidden or undocumented artifact creation can poison downstream stages, overwrite expected outputs, or conceal unauthorized workflow expansion.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The inline documentation and generated report structure explicitly describe a 'Research Idea Brainstorm Memo,' which directly contradicts the skill's declared purpose of increasing citation diversity without adding facts. This mismatch increases danger because operators and automated orchestrators may trust the manifest while the implementation nudges the system into generating off-mission research content and derivative planning artifacts.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The pipeline is marked with broad routing hints such as 'survey', 'review', and multilingual equivalents, while also setting routing_default: true and a high routing_priority. That combination can cause the agent to invoke this heavy, domain-specific pipeline for generic literature-review style requests, leading to misrouting, unintended artifact generation, or bypass of a more appropriate specialized workflow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal