smart-research

Security checks across malware telemetry and agentic risk

Overview

This is a coherent public web research skill, but users should avoid sensitive queries or private URLs because requests may go to search engines and third-party fetch services.

Install only if you intend to use it for public web research. Do not submit confidential search terms, internal URLs, localhost/private-network addresses, credentials, or tokenized links unless you are comfortable with search engines or third-party fetch services receiving them. Use an isolated environment and pin dependencies for repeatable, safer installs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (21)

Tainted flow: 'url' from requests.get (line 346, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: "Accept": "text/plain", "X-Return-Format": "markdown", } resp = requests.get( f"https://r.jina.ai/{url}", headers=headers, timeout=timeout,
Confidence: 95% confidence
Finding: resp = requests.get( f"https://r.jina.ai/{url}", headers=headers, timeout=timeout, )

Tainted flow: 'url' from requests.get (line 346, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: try: import requests resp = requests.get( f"https://markdown.new/{url}", headers={ "Accept": "text/markdown",
Confidence: 95% confidence
Finding: resp = requests.get( f"https://markdown.new/{url}", headers={ "Accept": "text/markdown", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Ma

Tainted flow: 'url' from requests.get (line 346, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: try: import requests resp = requests.get( f"https://defuddle.md/{url}", headers={ "Accept": "text/markdown",
Confidence: 95% confidence
Finding: resp = requests.get( f"https://defuddle.md/{url}", headers={ "Accept": "text/markdown", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill explicitly advertises multi-engine search and multi-layer web fetching, and the execution section lists network-capable dependencies, yet no permissions are declared. This creates a transparency and policy-enforcement gap: hosts or users may not realize the skill can initiate outbound requests to arbitrary URLs and third-party services, increasing SSRF, data exfiltration, and privacy risk if the runtime does not separately constrain networking.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The README claims 'no data collection' and 'local execution' while also documenting external search engines and third-party fetch services. This is dangerous because users may submit sensitive queries or URLs under a false privacy assumption, causing unintended disclosure of research topics and fetched content to outside services.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill can launch a full local Playwright-controlled browser using a hard-coded host executable path, which gives it broader execution capability than users would expect from a simple research helper. That increases the risk of unintended access to local environment resources, authenticated sessions, and dynamic content with active script execution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README does not clearly warn users that search inputs and fetch targets may be sent to multiple third-party services as part of the fallback chain. In a research skill, users may enter confidential topics, internal URLs, or sensitive investigation targets, which could be exposed externally without informed consent.

Natural-Language Policy Violations

High

Confidence: 98% confidence
Finding: The README makes contradictory privacy assurances that imply all processing is local and no personal data is transmitted, despite the documented reliance on external search engines and content-extraction services. This is dangerous because it can induce high-trust use in sensitive contexts, leading to inadvertent leakage of confidential queries, URLs, and retrieved content to third parties.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: 该技能明确会把用户搜索词和目标 URL 发送到多个外部搜索引擎及第三方抓取服务，但在功能介绍处未先给出醒目的前置风险提示。对于研究类技能，用户很可能输入敏感主题、内网地址或私有链接；若这些内容被转发到 r.jina.ai、markdown.new、搜索引擎等第三方，可能造成隐私泄露、商业敏感信息外传，且 README 中“本地执行”“不收集数据”的表述会弱化用户对外发行为的警觉。

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill sends user queries to multiple search engines and transmits fetched URLs to external sites without a clear user-facing disclosure. In a research assistant context, search terms and targets may contain sensitive business, personal, or internal investigation data, so silent transmission creates a genuine privacy and data-governance risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: These fallback fetchers do more than ordinary direct HTTP fetches: they send the requested URL to proxy-like third-party services that retrieve and transform content on the user's behalf. That is especially dangerous in a research skill because users may assume local fetching, while in reality both the target URL and potentially sensitive page contents are exposed externally.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Core dependency requests>=2.28.0 # Optional search engines baidusearch>=0.0.1
Confidence: 91% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 # Optional search engines baidusearch>=0.0.1 # Optional fetchers crawl4ai>=0.3.0
Confidence: 92% confidence
Finding: baidusearch>=0.0.1

Unpinned Dependencies

Low

Category: Supply Chain
Content: baidusearch>=0.0.1 # Optional fetchers crawl4ai>=0.3.0 playwright>=1.40.0 # Optional config support
Confidence: 97% confidence
Finding: crawl4ai>=0.3.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # Optional fetchers crawl4ai>=0.3.0 playwright>=1.40.0 # Optional config support pyyaml>=6.0
Confidence: 88% confidence
Finding: playwright>=1.40.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: playwright>=1.40.0 # Optional config support pyyaml>=6.0 # Async support aiohttp>=3.9.0
Confidence: 95% confidence
Finding: pyyaml>=6.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyyaml>=6.0 # Async support aiohttp>=3.9.0
Confidence: 91% confidence
Finding: aiohttp>=3.9.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 89% confidence
Finding: requests

Known Vulnerable Dependency: crawl4ai — 5 advisory(ies): CVE-2025-28197 (Crawl4AI SSRF vulnerability); CVE-2026-26216 (Crawl4AI is Vulnerable to Remote Code Execution in Docker API via Hooks Paramete); CVE-2026-26217 (Crawl4AI Has Local File Inclusion in Docker API via file:// URLs) +2 more

Critical

Category: Supply Chain
Confidence: 98% confidence
Finding: crawl4ai

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 96% confidence
Finding: pyyaml

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High

Category: Supply Chain
Confidence: 87% confidence
Finding: aiohttp

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal