Back to skill

Security audit

work work

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed academic formatting tool, but one Word generator auto-opens files through a shell command built from a user-controlled path, creating a real local command-execution risk.

Install only if you are comfortable reviewing and running local scripts. Avoid using unusual or untrusted filenames with the superscript Word generator, prefer disabling or removing auto-open behavior, run on copies of manuscripts, and use --deep-check only when you are willing to send reference metadata to Crossref.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script automatically opens the generated .docx by constructing a platform-specific shell command and invoking it with child_process.exec. Although the output path is wrapped in quotes, using a shell is unnecessary for a document-formatting tool and creates avoidable command-execution risk if path handling is ever bypassed or edge cases in shell parsing are hit; it also triggers an unsolicited local application launch.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script transmits reference metadata derived from user documents to Crossref over the network during '--deep-check'. That creates a privacy and data-governance issue because document contents are sent to a third party, while the skill is described primarily as a formatting/review assistant and the transmission may be unexpected to users.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script can automatically open a local Word document after checks pass, invoking the platform file handler without an explicit confirmation at runtime. In agent or automation environments, launching local files/applications can have unintended side effects, including triggering document macros, external template loads, or simply violating least-privilege expectations for a text-checking utility.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script automatically opens a generated document when checks pass, causing local side effects beyond literature validation. In an agent skill context, unexpected application launch is security-relevant because it can trigger external handlers, execute document-associated software, and reduce user control over potentially untrusted generated content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/create_word_with_superscript.js:45