Back to skill

Security audit

Deep Research v7

Security checks across malware telemetry and agentic risk

Overview

This research skill is broadly legitimate, but it exposes a hardcoded third-party API key and has under-scoped web fetching, authenticated-site, and file-writing behavior that should be reviewed before use.

Install only after removing and rotating the exposed API key, confirming all external LLM and relay services are acceptable, and running it in a sandboxed workspace. Avoid using cookies or authenticated pages unless you have explicit authorization and secure credential handling, and review output paths before running report-generation scripts because some can overwrite existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of shell, Python, network retrieval, and file read/write behavior, but it does not declare corresponding permissions. That creates a trust-boundary failure: an agent or user may invoke a capability-heavy workflow without clear authorization, review, or sandbox expectations, increasing the chance of unintended network access, local file modification, or environment exposure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially differs from the described purpose, including undeclared local file operations, topic-specific report generation, broader scraping/processing behavior, and use of external LLM services with hardcoded credentials. Description-behavior mismatch is dangerous because it defeats informed consent and review: operators may approve a 'research skill' that actually performs additional data handling, external transmission, or destructive overwrite operations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The integration guide broadens the skill from academic/literature research into general web and report scraping, including consulting, news, and government sites. This scope expansion increases the chance that the agent will access data sources and workflows not clearly disclosed in the skill metadata, which can bypass user expectations and weaken policy controls around authorized research use.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The document advises using cookies to access sites that require login, which encourages the operator to bypass normal access boundaries and potentially transmit authenticated session material into the skill workflow. In a research skill context, this is especially risky because it can lead to unauthorized collection of restricted content, leakage of session tokens, and mishandling of personal or enterprise data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The explicit phrase 'use Cookie to bypass login restrictions' normalizes access to authenticated or restricted pages through session reuse rather than approved access methods. That creates a direct risk of unauthorized access, terms-of-service violations, and exposure of sensitive cookies or private content if the workflow stores, logs, or forwards those credentials.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script prepends a hard-coded external workspace path to `sys.path`, causing imports to resolve from an uncontrolled local codebase outside the skill file itself. In an agent environment, this creates a code-trust boundary violation: if that external path is modified, the script may execute attacker-controlled code during import, which is especially risky because the imported `ResearchTools` likely has network and file access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code embeds a live external API credential directly in source. Hardcoded secrets are dangerous because anyone with code access can extract and misuse the credential for unauthorized API calls, billing abuse, or access to associated services, and the secret is difficult to rotate once distributed.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code sends target page URLs to the third-party relay service r.jina.ai instead of fetching content directly from the original site. This creates an unnecessary data disclosure and trust-boundary expansion: user-requested research targets, browsing intent, and possibly access patterns are exposed to an external service that is not declared in the skill metadata.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
The code embeds a live third-party LLM API credential directly in source, which exposes the secret to anyone who can read the file, repository, logs, or packaged artifact. A leaked key can be abused to consume paid services, impersonate the application to the provider, and potentially expose user research topics and generated content to an undisclosed external service.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This is a true integrity vulnerability: despite presenting itself as a synthesis pipeline over user-provided research cards, the script emits hard-coded briefs and a hard-coded final report that are largely unrelated to the actual input data. In a deep-research skill, this can fabricate conclusions, misrepresent evidence provenance, and cause users to act on false claims while believing they are grounded in downloaded literature.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments and surrounding flow imply LLM-based clustering and card-to-brief synthesis, but the implementation instead performs fixed manual output generation. That mismatch is dangerous because it deceives operators about what the system actually analyzed, undermining trust, auditability, and any downstream decision-making based on supposed automated evidence synthesis.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation discusses web fetching, login-restricted sites, and cookie usage without warning users about privacy, authorization, credential handling, or data transmission risks. In a skill that automates research and downloads content, omission of these safeguards can mislead users into unsafe operation and increase the likelihood of collecting protected or personal data without proper consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The auto-trigger phrases are broad enough to match many ordinary requests for 'research' or 'survey,' which can cause the skill to activate unexpectedly. In a skill that can access network resources, run commands, and write files, over-broad triggering increases the risk of unintentional execution and side effects without the user's clear intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes automatic PDF downloading, web retrieval, and parsing but does not present a user-facing warning about network access, remote content handling, or local storage effects. This omission is risky because research workflows routinely pull untrusted external documents and may persist them locally, exposing the system to privacy, compliance, and supply-chain risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The execution examples directly instruct running shell and Python commands that fetch external content and generate report files, but they do not warn about these side effects. Copy-pastable commands without safety guidance can lead users or agents to execute networked workflows that write to disk and consume external data without understanding the operational or security consequences.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest advertises broad auto-trigger phrases such as “深度研究”, “文献调研”, and similar generic requests that can match common user intent far beyond narrowly scoped literature-review tasks. In an agent environment, this can cause the skill to activate unexpectedly, gaining access to web fetching, PDF download/parsing, and multi-source research workflows when the user may not have intended to invoke such a powerful capability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script unconditionally opens an existing report path in write mode and replaces its contents with newly generated output, which can destroy prior analysis if the generation step is wrong, truncated, or manipulated. In this skill context, the file is part of a research/report pipeline, so accidental data loss or corruption of a final deliverable is realistic and the risk is increased because the content comes from an LLM-generated report merged into an existing artifact.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script appends generated model output to an existing markdown file by reopening the same path in write mode, which overwrites the file contents without any confirmation, backup, or atomic safety checks. In a research skill that auto-generates and persists reports, this can cause irreversible data loss or corruption of analyst-authored content if the generated output is wrong, duplicated, or triggered on the wrong dataset/path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script unconditionally deletes an existing report file before regenerating it, with no confirmation, backup, or atomic write strategy. In an automated agent environment, this can cause silent data loss if the file contains manually edited content or if generation fails after deletion, leaving the user with no report at all.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script unconditionally deletes a pre-existing report file in a fixed workspace path without prompting the user, creating a risk of silent data loss or destruction of prior analysis artifacts. In a research/report-generation skill, this is more dangerous because outputs may be manually edited or serve as records, and reruns can erase work unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script unconditionally deletes an existing report file and regenerates it without any confirmation, backup, or atomic write strategy. In a research skill context, this can destroy prior analysis outputs or overwrite curated results, causing data loss and making it easy for an operator or chained workflow to clobber important artifacts unintentionally.

Missing User Warnings

High
Confidence
98% confidence
Finding
Using a hardcoded API key without clear disclosure compounds the secret-management problem and hides a sensitive outbound dependency from users/operators. If the code is shared or deployed broadly, the credential can be abused silently while users remain unaware that their requests depend on an embedded third-party account.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script transmits user-provided topics and compiled paper metadata to an external API without explicit disclosure or consent. In a research workflow, topics may contain confidential business plans, unpublished research directions, or sensitive health-related context, so undisclosed third-party transfer creates a real data leakage risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code downloads arbitrary remote PDFs to local temporary storage and parses them without warning or robust validation. This expands attack surface through untrusted file retrieval and document parsing, and can lead to SSRF-like behavior, malicious file processing risks, disk usage issues, or exposure of network activity that users did not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script stores fetched webpage content, including full_text, into a local JSON file under sources/ without any consent prompt, retention limit, or redaction. In a research skill that may fetch arbitrary pages or PDFs, this can persist copyrighted, sensitive, or internal data to disk unexpectedly and increase exposure to local disclosure or accidental reuse.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.