Back to skill

Security audit

cite-check

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it checks citations by fetching cited sources and optionally running local claim-support analysis, with some privacy considerations for sensitive drafts.

Install only if you are comfortable with live network checks against the sites cited in your drafts. For confidential or embargoed material, run only phase 1/2 in a controlled environment, keep OLLAMA_HOST pointed at localhost, and avoid using it on drafts whose citation list or source URLs must remain private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Tainted flow: 'OLLAMA' from os.environ.get (line 37, credential/environment) → httpx.post (network output)

Critical
Category
Data Flow
Content
def _ollama_generate(model: str, prompt: str, timeout: int = 120) -> str:
    r = httpx.post(f"{OLLAMA}/api/generate",
                   json={"model": model, "prompt": prompt, "stream": False,
                         "options": {"temperature": 0}},
                   timeout=timeout)
Confidence
96% confidence
Finding
r = httpx.post(f"{OLLAMA}/api/generate", json={"model": model, "prompt": prompt, "stream": False, "options": {"temperature": 0}}, tim

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that require network access, shell execution, and environment use, but the manifest does not explicitly declare those permissions. This creates a transparency and policy-enforcement gap: a runner or reviewer may treat the skill as lower risk than it really is, while it can still fetch remote content and participate in blocking CI workflows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose emphasizes citation verification, but the described behavior goes further by fetching full remote content, contacting additional services such as ar5iv.org and localhost Ollama, and loading/downloading ML models. That mismatch is dangerous because operators may approve or automatically invoke the skill expecting a narrow validation tool, while it actually expands the attack surface, exfiltration paths, and resource usage substantially.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly says the tool extracts URLs and arXiv IDs from drafts and fetches them live, but it does not warn users that draft-derived references will be transmitted to external services such as cited domains and the arXiv API. In a publish pipeline, drafts may contain confidential or embargoed references, so automatic outbound requests can leak sensitive research topics, internal document contents, or pre-release source lists to third parties and logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.