Security audit

literature-recommendation

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed literature-recommendation workflow that reads team research profiles, fetches arXiv papers, stores results, and prepares OpenClaw delivery payloads.

Install only if the operator is comfortable granting access to a PostgreSQL database containing member research profiles and Feishu user IDs. Use a dedicated low-privilege DB account, restrict the output directory, and set retention or cleanup rules for generated JSON reports and stored recommendation history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares no permissions while its documented workflow clearly involves network access, database interaction, and file/output generation. This creates a capability-transparency gap: users and orchestrators cannot make an informed trust decision, and hidden side effects such as data persistence or external data transfer may occur unexpectedly.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared purpose suggests recommendation and output to OpenClaw, but the actual documented behavior expands to external network retrieval, persistent storage of run history and recommendations, local report writing, and construction of personal delivery payloads. That mismatch can mislead users and platform policy checks, causing profile data and recommendation artifacts to be processed or retained in ways the user did not reasonably expect.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The trigger phrases are broad and overlap with ordinary recommendation-style requests, increasing the chance the skill is invoked unintentionally. In this skill's context, accidental invocation matters because it can read member profiles, fetch remote content, and persist recommendation data, so a benign chat request could trigger non-obvious side effects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill description explains functionality but does not warn that it accesses member research profiles and persists recommendation outputs/history. This weakens informed consent and privacy transparency, especially because the data concerns identifiable team members and may be retained in PostgreSQL or written to output artifacts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The pipeline writes a comprehensive JSON report to disk containing member profiles, fetched papers, recommendation reasons, and delivery payload metadata. If the output directory is broadly accessible, backed up, or retained indefinitely, this creates an unnecessary privacy and data-exposure surface for personally linked recommendation data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.