Daily Literature Search

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real literature-monitoring skill, but it needs review because installation adds recurring background execution and the search script runs another local skill that is not clearly declared as a dependency.

Install only after reviewing install.sh. Use --dry-run first, confirm whether you want the cron job, remove it with the uninstall option if you want manual-only use, protect or avoid filling the .env file with real secrets, and verify that the referenced literature-review skill in the workspace is trusted before enabling scheduled runs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documents capabilities to read/write local files, access environment variables, use the network, and be scheduled via shell/cron, but it does not declare permissions or scope them explicitly. That creates a transparency and governance gap: users may approve a seemingly simple literature-search skill without realizing it can process local uploads, persist files, and use secrets from the environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior is inconsistent with the declared purpose: besides remote literature search, it also processes user-uploaded local PDFs and reportedly invokes an external 'literature-review' skill. Hidden or under-documented behavior is dangerous because it expands the trust boundary to local data handling and transitive code execution/dependency behavior that users did not clearly consent to or review.

Intent-Code Divergence

Low

Confidence: 95% confidence
Finding: The script actually uses CONFIG_FILE="${SCRIPT_DIR}/config.yaml", but the post-install message tells the user to edit config/config.yaml. This mismatch can cause users to edit the wrong file, leaving the real configuration unchanged and potentially resulting in unsafe defaults or failed execution.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The script executes another local skill from a configurable workspace path, which expands its privileges from literature search into arbitrary local code orchestration. In a skill ecosystem where other skills or workspace contents may be user-supplied or tampered with, this creates a trust-boundary violation that can lead to unintended code execution.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The installer creates a plaintext .env file containing placeholders for API keys, email credentials, and webhooks, but provides no warning about file permissions or secret-handling risks. On multi-user systems or in poorly secured working directories, this can expose sensitive credentials to other local users or accidental backup/version-control leakage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The installer modifies the user's crontab automatically without an explicit confirmation prompt. Even though scheduled execution is part of the skill's intended behavior, silently adding persistence can surprise users, create unintended background execution, and make troubleshooting or rollback harder.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Install: pip install -r requirements.txt # HTTP requests for API calls requests>=2.28.0 # YAML configuration support pyyaml>=6.0
Confidence: 90% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 # YAML configuration support pyyaml>=6.0 # Optional: Better CLI interface # click>=8.0.0
Confidence: 91% confidence
Finding: pyyaml>=6.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 84% confidence
Finding: requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 95% confidence
Finding: pyyaml

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal