phd-research-companion

Security checks across malware telemetry and agentic risk

Overview

This skill fits a PhD research workflow, but it overstates what it can do and includes under-disclosed local scanning, secondary file writes, and code-executing validation behavior.

Review before installing or running. Use a dedicated test workspace, avoid the test suite unless you are comfortable executing bundled package code, do not enable cron/background runs until paths are constrained, and treat generated paper analyses and search outputs as placeholders unless you verify the scripts actually parse trusted sources. Avoid using sensitive or unpublished research topics with search workflows that may be logged locally or later sent to third-party services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (19)

exec() call detected

High

Category: Dangerous Code Execution
Content: # Try importing module to check syntax try: exec(open(full_path).read().split('if __name__')[0][:1000]) # Basic syntax check print(f"✅ Script exists: {script_path}") return True except Exception as e:
Confidence: 99% confidence
Finding: exec(open(full_path).read().split('if __name__')[0][:1000]) # Basic syntax check

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for script in test_scripts: try: result = subprocess.run( ['python3', Path(__file__).parent / script, '--help'], capture_output=True, text=True, timeout=2 )
Confidence: 86% confidence
Finding: result = subprocess.run( ['python3', Path(__file__).parent / script, '--help'], capture_output=True, text=True, timeout=2 )

Direct flow: open (file read) → exec (code execution)

High

Category: Data Flow
Content: # Try importing module to check syntax try: exec(open(full_path).read().split('if __name__')[0][:1000]) # Basic syntax check print(f"✅ Script exists: {script_path}") return True except Exception as e:
Confidence: 99% confidence
Finding: exec(open(full_path).read().split('if __name__')[0][:1000]) # Basic syntax check

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The generated dashboard embeds hard-coded research focus areas for network traffic fingerprinting regardless of the user-provided domain. In a research-assistant skill, this can silently misdirect users, contaminate project framing, and create misleading documentation that appears authoritative despite not matching the requested topic.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The README states the research domain is 'Network Traffic Fingerprint Analysis' even when the caller provides a different domain. This is more dangerous than a cosmetic mismatch because the README becomes a primary source of project truth and can propagate false assumptions into later commands, documentation, experiments, and submissions.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The quick-start commands, datasets, and checklist are all tailored to network traffic research even when another domain is requested. In this skill context, that increases risk because users may trust the generated project as domain-appropriate and unknowingly execute irrelevant or inappropriate workflows, wasting effort and compromising research integrity.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The report generator claims to summarize checklist validity, but it calls an undefined function `all_checklist_pass(...)` and relies on `data['passed']` values that are never updated by the checks. This causes the script to crash or produce uniformly incorrect failure reporting, which can block compliance review or mislead users about submission readiness.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The script advertises deep PDF analysis and structured extraction, but the implementation only parses filenames and emits placeholder content. This is a genuine integrity issue because users may rely on fabricated analyses for research or downstream automation, leading to false conclusions and unsafe trust in generated outputs.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The CLI exposes a 'deep' mode and describes 'full extraction', but no mode-specific logic or PDF content extraction exists. This discrepancy can mislead operators into believing a more thorough analysis occurred than actually did, undermining trust and potentially contaminating research workflows.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The code presents hardcoded values and placeholders as if they were extracted analytical dimensions from papers. In a research-assistant context, this is dangerous because it creates authoritative-looking but synthetic comparison data that can be mistaken for evidence-based analysis.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The constructor assigns `self.tracking_dir = tracking_dir.mkdir(...)`, but `Path.mkdir()` returns `None`, so the tracked path reference is broken immediately. It also computes a compliance file path using `../../00-dashboard/...`, which can target locations outside the intended tracking directory and cause writes to an unexpected parent-relative location. In this academic revision-tracking context, the behavior appears accidental rather than malicious, but it is still dangerous because it can corrupt or overwrite files outside the expected workspace boundary.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The method claims to update the main compliance tracking file, but the constructor may silently redirect `self.compliance_json` to a local fallback file instead. That mismatch can undermine auditability and integrity of compliance data by making users believe a central status file was updated when only a local surrogate was modified. In this skill context, that is more of a reliability and traceability weakness than a direct exploit primitive.

Intent-Code Divergence

Low

Confidence: 91% confidence
Finding: The method claims to update proof verification status, but it actually attempts to modify a broader compliance tracker outside the requested output file. Hidden side effects that alter project state are dangerous because users may run a read-like verification tool expecting only analysis output, while the script silently changes another file that could influence workflow, compliance dashboards, or downstream decisions.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: A notation-checking utility should not modify unrelated external state by default, especially a compliance-status file in another directory. This expands the tool's authority beyond its apparent purpose and can be abused to tamper with project governance metadata, create misleading validation records, or overwrite files in shared repositories if the script is run with write access.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The function advertises that it only verifies existence/executability, but it actually executes source code from the target file. This mismatch is security-relevant because it can mislead maintainers or users into running the test suite under the false assumption that it is passive, increasing the chance that dangerous behavior is triggered unexpectedly.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The quick-start instructions normalize immediate execution of project-initialization commands that create substantial workspace structure without an explicit warning about filesystem changes. In agent contexts, unclear disclosure of write behavior can lead to unintended directory creation, file overwrites, or automation in the wrong path.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This section encourages network-based literature collection and background execution but does not warn that search terms may be transmitted to third-party services such as arXiv or Semantic Scholar. In research settings, queries can reveal unpublished topics, confidential directions, or institution-linked activity, creating privacy and operational risk.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The search functions call progress_tracker.update() unconditionally, but progress_tracker is only initialized when --background is used. In normal execution this can trigger a NoneType exception and terminate the script, creating a denial-of-service condition for expected non-background usage. In this skill context, the issue is somewhat less severe because it affects availability rather than enabling privilege escalation or data theft, but it still breaks the tool in a user-triggerable way.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes the requested report and also attempts to update a second project file without prominent user-facing disclosure. Undisclosed secondary writes are risky in agent skills because they violate user expectations, make review harder, and can silently alter repository state or automation inputs, particularly in CI or batch-processing contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal