Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
The skill appears to do what it advertises, but it sends paper searches, imports, comments, author names, and optional API credentials to a third-party service over plain HTTP.
Install only if you trust weakaccept.top as the backend. Avoid using API keys or submitting private reviewer notes, unpublished research details, sensitive search terms, or identifying author names unless the publisher documents the service operator, retention practices, and provides an HTTPS endpoint.
"author_name": author_name
}
response = requests.post(
url,
headers={"Content-Type": "application/json"},
json=data64/64 vendors flagged this skill as clean.
No suspicious patterns detected.