Back to skill

Security audit

Automatically search for literature on environmental psychology

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Web of Science literature helper that saves local metadata and open-access PDFs, with no hidden credential access or persistence found.

Install only if you are comfortable sending paper DOIs to Unpaywall and saving downloaded PDFs locally. Use it within your institution's Web of Science, copyright, and publisher-access rules, and choose an output directory you are comfortable writing files into.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises browser automation, HTTP access, and local file organization/output, which implies network, file_read, and file_write capabilities, but it does not declare permissions. That mismatch weakens security review and user consent because the actual operational scope is broader than what the manifest communicates, especially for a tool that logs into Web of Science and downloads/stores documents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.