Arxiv Paper Writer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate arXiv paper-writing helper, with the main caveats being broad activation wording and Chinese-only progress summaries.

Before installing, be explicit about the paper directory the agent may edit, review any suggested sudo, MiKTeX, or uv package-install commands before running them, and ask the agent to report progress in your preferred language if Chinese is not appropriate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description is very broad and could cause this skill to activate for many generic writing or paper-help requests, even when the user did not ask for this specific workflow. Over-broad auto-triggering can steer the agent into unnecessary file operations, project scaffolding, or workflow assumptions that expand its action surface beyond user intent.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to summarize progress briefly in Chinese regardless of the user's language preference. This violates expected language/UX policy and can cause confusing or inaccessible responses, especially in multilingual or English-only contexts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal