Back to skill

Security audit

CC3PO arXiv Research

Security checks across malware telemetry and agentic risk

Overview

This arXiv skill is coherent and purpose-aligned, with optional reading-list persistence that users should configure knowingly.

Install this only if you want an assistant to search arXiv, download PDFs locally, and optionally maintain a saved-paper reading list. Do not set MONGODB_URI unless you are comfortable storing paper metadata and reading status in that database, and prefer explicit arXiv wording when invoking the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill documentation references environment-based configuration for MongoDB despite not declaring corresponding permissions or clearly scoping that capability in the manifest. Hidden or undeclared access to environment variables increases the risk of over-privileged behavior and makes it harder for users or platforms to assess what sensitive data the skill may access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose is limited to searching, downloading, and summarizing arXiv papers, but the skill also advertises persistent reading-list storage and status management in MongoDB. This description-behavior mismatch is dangerous because users may invoke the skill expecting transient research assistance while the skill persists their activity and paper interests to a database without prominent disclosure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest and top-level description present an arXiv search/download/summarization tool, while the body adds persistent reading-list tracking via MongoDB. Security-relevant capability drift between manifest and documentation undermines review and consent because a user or platform may approve the skill for read-only research tasks without realizing it can store user activity.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
MongoDB-backed paper tracking is not necessary for the core task of searching and summarizing arXiv content, so it expands the skill's data-handling surface beyond its justified purpose. Unnecessary persistence creates avoidable privacy and abuse risks, especially if user research interests, queries, or reading status are stored indefinitely or without strong access controls.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description presents a read-oriented arXiv search/download tool, but the implementation also initializes MongoDB connectivity and supports persistent storage. This mismatch expands the trust boundary and can cause users or hosting platforms to grant the skill more access than expected, creating undisclosed data persistence and external data-flow risk.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code actively writes paper metadata and reading-status records to MongoDB through save_paper and update_status, despite the stated purpose focusing on search, download, and summarization. Undisclosed state modification is dangerous because it can surprise operators, retain user activity/history, and create compliance and privacy issues in environments expecting a non-persistent research utility.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill reads MongoDB connection settings from environment variables and opens an external database connection unrelated to the narrow arXiv retrieval function advertised. In agent environments, hidden external connectivity increases the attack surface, may expose sensitive infrastructure metadata, and can enable unauthorized data exfiltration or persistence if deployed with privileged environment configuration.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains generic phrases like "paper," "research paper," and "find papers," which are likely to appear in ordinary user conversations outside explicit requests to invoke this skill. In an agent environment, overly broad triggers can cause unintended activation, routing user data or tasks to this skill unexpectedly and increasing the risk of prompt/skill hijacking or incorrect tool use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.