CtrlK
BlogDocsLog inGet started
Tessl Logo

mlava/scholar-sidekick-cli

Resolve scholarly identifiers (DOI, PMID, PMCID, ISBN, arXiv, ISSN, ADS bibcode, WHO IRIS URL) into formatted citations (10,000+ CSL styles) and bibliography exports (BibTeX, RIS, EndNote, CSV…), and check retraction, open-access, and citation-fabrication status — from the terminal via the `scholar` CLI. Wraps the public REST API; needs Node ≥20 but no API key for the free tier. Use when the user wants to look up, cite, export, or verify a reference by DOI, PMID, PMCID, ISBN, arXiv ID, ISSN, ADS bibcode, or WHO IRIS URL from the terminal — including retraction, open-access, and fabricated-citation checks.

70

Quality

88%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

Security

1 medium severity finding. This skill can be installed but you should review these findings before use.

Medium

W011: Third-party content exposure detected (indirect prompt injection risk)

What this means

The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (medium risk: 0.65). The required runtime workflow calls a public Scholar Sidekick REST API and ingests the returned bibliographic metadata (e.g., titles/abstracts/notes) into the agent’s LLM context; that metadata is effectively outsider-authored free text originating from third-party scholarly sources rather than the operating user.

Report incorrect finding
Audited
Security analysis
Snyk