MedSci Skills: why it is not safe to use
MedSci Skills cleared our review at 92/100; the one caution is that some skills process fetched web and PDF text, which can carry injected instructions.
MedSci Skills passed our security and privacy review with a score of 92/100. We are publishing this note for transparency about the one item our scan flagged for caution.
What we found
Most checks passed cleanly. Only bibliographic identifiers (DOI, PMID) leave the machine, and they go to public, keyless research APIs (PubMed, CrossRef, Semantic Scholar, OpenAlex, Unpaywall, PMC). Manuscript and patient data stay local, and de-identification runs offline using regex and heuristics. We found no hardcoded secrets, no destructive shell commands, no obfuscated logic, and no privilege escalation; optional Zotero, Perplexity, and Elicit credentials are user-supplied at runtime.
The single caution: skills such as add-journal and fulltext-retrieval pull external web and PDF content. Fetched text can, in general, carry injected instructions. We saw no hidden directives in the skill files themselves, so this is the ordinary risk of processing untrusted content, not a defect specific to this skill.
What to do instead
You can use MedSci Skills as intended. Treat retrieved journal text as untrusted, review generated analysis code before running it, and keep the optional credentials scoped to their services.
Source: https://github.com/Aperivue/medsci-skills
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.