Back to skill

Security audit

Nature Paper Hub

Security checks across malware telemetry and agentic risk

Overview

This academic writing skill is not overtly malicious, but it needs Review because it can expose research queries externally and includes a contaminated bundled literature index.

Install only if you are comfortable with an academic assistant that may query external services using your research topics, claims, references, or paper identifiers. Avoid using it with confidential manuscripts, unpublished work, private PDFs, or sensitive reference lists unless you remove or disable the personal LitReview/API steps and replace the bundled papers index with a sanitized corpus.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs use of an owner-only authenticated API without manifest disclosure, clear access control handling, or user-scoped consent. This can lead to unauthorized use of privileged credentials or silent transmission of user research topics to a private third-party service outside the user's expectations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This appears to be a true data-exposure issue. The file explicitly claims to contain only public literature metadata, yet it includes immigration/passport-related application text that is unrelated to bibliographic indexing and may contain sensitive personal or administrative information. In a skill that may surface or search this corpus automatically, such content could be retrieved, summarized, or leaked to end users unexpectedly.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The top-level description is contradicted by the actual contents: the file references a personal library and includes download traces that are not clean public metadata. This is dangerous because downstream users and systems may trust the declaration and handle the dataset as sanitized, causing accidental disclosure of private provenance and access metadata.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill instructs execution of an external script located under a different skill/package path (`nature-paper-hub/scripts/auto_figure.py`), which breaks self-containment and creates a trust-boundary problem. If that external script is modified, replaced, or has broader capabilities than expected, activating this figure skill could trigger unintended code paths or data handling beyond simple figure generation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill advertises PPTX generation but directs execution to a script under a different skill path (`nature-paper-hub/scripts/export_pptx.py`). This creates a cross-skill trust boundary problem: an agent following these instructions may execute code that was not reviewed as part of this skill, causing unintended capability access, incorrect behavior, or execution of a maliciously modified script in another skill directory.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README says the skill can be triggered naturally in conversation with no extra command, which encourages broad natural-language activation. In agent platforms, loose trigger semantics can cause unintended invocation on ordinary user text, leading to accidental access to local files, literature libraries, or network-connected retrieval features.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README presents many generic words and short phrases like journal selection, literature, abstract, export, and rebuttal as direct triggers. Such unspecific keywords increase the chance of accidental routing during normal conversation, which may launch workflows involving document processing, retrieval, or data export without sufficiently deliberate user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises use of personal literature libraries plus web and CrossRef retrieval, but does not warn users that local content, metadata, or queries may be transmitted or exposed to external systems. This creates a privacy and data-governance risk, especially in unpublished research contexts where references, topics, and drafts can be sensitive.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example workflow processes a local PDF and translation/reader task without warning that document contents may be transmitted to external models or services. For academic manuscripts and downloaded papers, this can expose confidential drafts, licensed content, or sensitive annotations if users assume processing stays local.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill directs exporting files to user paths without warning about file creation or overwrite effects. Even if the default paths are benign, silent writes to local storage can surprise users, overwrite prior work, or create sensitive manuscript artifacts in predictable locations.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
This is a genuine privacy-sensitive disclosure because it exposes a specific IP address and timestamp associated with library access. Even if embedded in scraped article text, it can reveal institutional usage patterns or identify a person or small group, especially in a personal-library context.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
This finding is a true privacy issue because the record contains institutional download metadata including a specific IP address. In a literature-assistant skill, such data serves no legitimate user purpose and increases the chance of privacy leakage through search, retrieval, or model output.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
This is a true vulnerability because it exposes access metadata combining IP address and timestamp, which can be sensitive operational or personal information. The skill context makes it more dangerous because a writing assistant may quote or summarize these records verbatim, unintentionally propagating the disclosure to users or external documents.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description is broad enough to activate on generic citation-related requests that fall outside the stated Nature/CNS-specific scope. Over-broad activation can cause the wrong skill to run, leading to unnecessary external lookups and possible disclosure of user research topics or manuscript content to third-party services.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include highly generic terms like 'citation', 'reference', and 'Zotero', which are common across many benign requests and not constrained to this skill's narrow domain. This increases the chance of accidental invocation and downstream transmission of sensitive queries to external services without the user intending to use this specialized workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow sends user-provided claims or topics to a personal LitReview library API before any notice or consent step. Research claims, unpublished manuscript text, or confidential project topics may therefore be exposed to a third-party endpoint tied to a personal library, creating a privacy and data-governance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.