PubMed-Search

The PubMed-Search skill aims to provide a legitimate biomedical literature workflow (search, metadata retrieval, analysis, and optional PDF access). However, its installation path relies on a curl|bash single-shot script from an unverified external domain to install a binary (uv) outside official registries. This creates a significant supply-chain risk and credential-security concern relative to the skill’s benign information-access purpose. Other data flows (PubMed API usage, optional API keys) are proportionate and standard, but the installation method elevates the overall risk profile. Recommend replacing the remote installer with an officially distributed package from a recognized registry, providing a verifiable checksum or signature, or bundling the tool as a Python package with PyPI distribution. Also tighten credential handling and document explicit consent and local data handling policies for any PDF downloads.