Back to skill

Security audit

Research Papers

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate academic paper-search skill, but its optional QQBot handoff can run an external Python script and transfer generated review files outside the core research workflow.

Install only if you are comfortable with a research helper that sends queries to OpenAlex/Unpaywall and stores cache/output files locally. Avoid `--qqmedia` and `--stage-media-script` unless you trust the separate QQBot tooling and understand where generated review files will be staged or sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"or pass --stage-media-script."
        )

    result = subprocess.run(
        [sys.executable, str(script), str(source)],
        capture_output=True,
        text=True,
Confidence
90% confidence
Finding
result = subprocess.run( [sys.executable, str(script), str(source)], capture_output=True, text=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises shell, network, file read/write, and environment capabilities through documented command usage, but no permissions are explicitly declared in the manifest. This creates a transparency and governance gap: the platform or user may not realize the skill can execute commands, access local files, write review artifacts, or make external requests, increasing the chance of over-privileged execution and misuse.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The QQBot handoff adds an external file-delivery channel that goes beyond basic paper search and review generation. That creates a data egress path where generated literature reviews, metadata, or locally written files could be sent to another system without the behavior being central to the stated skill purpose, increasing exfiltration and scope-creep risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation describes generating files and delivering them through QQBot, but this external delivery behavior is not reflected in the high-level manifest description. Hidden or under-declared outbound behavior is risky because users and policy systems may authorize a research tool without realizing it can transmit generated content to another service.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill includes an unrelated handoff mechanism that locates and runs an external helper script for qqbot media staging. In the context of an academic search/review tool, this expands the trust boundary significantly and enables arbitrary local code execution or unintended data exfiltration through a secondary component.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.