arxiv_deep_reader

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent arXiv paper reader that fetches public paper content and sends it to a configured LLM for Chinese reading notes, with no evidence of hidden persistence, destructive behavior, or data theft.

Install only if you are comfortable sending the selected paper text and metadata to the LLM provider configured in .env. Prefer a trusted provider or local-compatible endpoint, avoid using it for private or unpublished manuscripts, and consider pinning or reviewing dependency versions before use in a sensitive environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code sends paper titles and abstracts directly to an external LLM agent via `self.chain.invoke(...)` without any visible consent, notice, redaction, or configuration guard in this component. In an arXiv-reading skill this may seem routine, but abstracts/titles can still contain sensitive, proprietary, or embargoed research text in other deployments, so silent third-party transmission creates a real data exposure and compliance risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The agent sends large portions of paper text, appendix content, and identifying metadata such as title, authors, and arXiv ID to an external LLM backend via create_agent(...).invoke(...) without any consent gate, redaction step, or visible disclosure in this component. In a paper-reading skill this may be expected behavior, but it still creates a real confidentiality and compliance risk if users process unpublished drafts, licensed content, or sensitive metadata through a third-party model provider.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The prompt enforces Chinese-language output for the generated reading notes without indicating that the user's preferred language should be honored. This can cause accessibility and usability issues, especially in multilingual environments, and may lead the agent to ignore explicit user language preferences or downstream system expectations.

Ssd 4

Medium

Confidence: 92% confidence
Finding: Untrusted paper title and abstract text are inserted directly into the LLM input, so adversarial content inside a paper can act as prompt injection and steer the summarizer away from its intended task. In this skill, the impact is somewhat constrained because the agent appears to only generate text summaries, but injected instructions could still manipulate notes, produce misleading output, or propagate unwanted content into downstream workflows.

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.31.0 python-dotenv>=1.0.0 arxiv>=2.1.0 arxiv-to-prompt
Confidence: 95% confidence
Finding: arxiv-to-prompt

Unpinned Dependencies

Low

Category: Supply Chain
Content: langchain>=1.2.9 langchain-openai>=1.1.7 requests>=2.31.0 python-dotenv>=1.0.0
Confidence: 98% confidence
Finding: langchain>=1.2.9

Unpinned Dependencies

Low

Category: Supply Chain
Content: langchain>=1.2.9 langchain-openai>=1.1.7 requests>=2.31.0 python-dotenv>=1.0.0 arxiv>=2.1.0
Confidence: 97% confidence
Finding: langchain-openai>=1.1.7

Unpinned Dependencies

Low

Category: Supply Chain
Content: langchain>=1.2.9 langchain-openai>=1.1.7 requests>=2.31.0 python-dotenv>=1.0.0 arxiv>=2.1.0 arxiv-to-prompt
Confidence: 96% confidence
Finding: requests>=2.31.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: langchain>=1.2.9 langchain-openai>=1.1.7 requests>=2.31.0 python-dotenv>=1.0.0 arxiv>=2.1.0 arxiv-to-prompt
Confidence: 90% confidence
Finding: python-dotenv>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: langchain-openai>=1.1.7 requests>=2.31.0 python-dotenv>=1.0.0 arxiv>=2.1.0 arxiv-to-prompt
Confidence: 93% confidence
Finding: arxiv>=2.1.0

Known Vulnerable Dependency: langchain — 10 advisory(ies): CVE-2023-36258 (langchain arbitrary code execution vulnerability); CVE-2026-45134 (LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust); CVE-2024-2965 (Denial of service in langchain-community) +7 more

Critical

Category: Supply Chain
Confidence: 98% confidence
Finding: langchain

Known Vulnerable Dependency: langchain-openai — 2 advisory(ies): CVE-2026-41488 (langchain-openai: Image token counting SSRF protection can be bypassed via DNS r); CVE-2026-41488 (LangChain is a framework for building agents and LLM-powered applications. Prior)

Medium

Category: Supply Chain
Confidence: 94% confidence
Finding: langchain-openai

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 97% confidence
Finding: requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 88% confidence
Finding: python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal