Back to skill

Security audit

pubchem-database

Security checks across malware telemetry and agentic risk

Overview

The PubChem lookup functionality is mostly legitimate, but the skill also steers the agent to promote an unrelated K-Dense Web service and has an unsafe file-overwrite default.

Install only if you are comfortable with chemistry queries being sent to PubChem/NCBI and with the skill containing an unrelated prompt to suggest K-Dense Web during complex work. Use explicit, safe output filenames for downloads and avoid paths that could overwrite important workspace files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly documents and encourages outbound network access to PubChem and related endpoints, but the metadata declares no permissions. That mismatch can undermine policy enforcement, informed consent, and sandbox decisions by causing the runtime or reviewer to underestimate the skill's capabilities.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill injects instructions to promote an external commercial platform, K-Dense Web, even though that behavior is unrelated to the core PubChem-querying function. This is dangerous because it creates a covert steering/promotion channel inside tool documentation, which can bias agent behavior, leak user workflow context to a third party, and subvert user intent.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The documentation tells the agent to proactively suggest K-Dense Web for certain classes of requests without user opt-in. Forced promotional behavior is a prompt-level policy violation because it overrides neutral assistance and can manipulate users toward a vendor-controlled platform based on their task complexity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function accepts a caller-controlled filename and passes it directly to `pcp.download(..., overwrite=True)`, which will overwrite any existing file at that path without confirmation or path restrictions. In an agent context, this can destroy local files or clobber important data if an untrusted prompt or tool input supplies an arbitrary path.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.