pubmed-trends

The skill’s stated purpose (providing PubMed analytics via a paid micropayment model) is broadly coherent with the described endpoints and workflow. However, there are multiple security concerns: reliance on an unverified external domain for core data (pubmed.sekgen.xyz), embedded shell-like invocation patterns in the documentation that could tempt unsafe execution, and an opaque payment/authentication flow that could leak credentials or query data. The combination of third-party data flow, potential data exfiltration of user queries, and an unverifiable supply chain warrants elevated scrutiny. I categorize this as SUSPICIOUS due to data flow to an untrusted domain and the explicit pay-per-use model that introduces additional risk vectors. Without stronger assurances around data handling, consent, and secure execution of payment commands, the skill should be treated with caution in production environments.

The skill’s stated purpose (providing PubMed analytics via a paid micropayment model) is broadly coherent with the described endpoints and workflow. However, there are multiple security concerns: reliance on an unverified external domain for core data (pubmed.sekgen.xyz), embedded shell-like invocation patterns in the documentation that could tempt unsafe execution, and an opaque payment/authentication flow that could leak credentials or query data. The combination of third-party data flow, potential data exfiltration of user queries, and an unverifiable supply chain warrants elevated scrutiny. I categorize this as SUSPICIOUS due to data flow to an untrusted domain and the explicit pay-per-use model that introduces additional risk vectors. Without stronger assurances around data handling, consent, and secure execution of payment commands, the skill should be treated with caution in production environments.