Back to skill

Security audit

follow-arxiv

Security checks across malware telemetry and agentic risk

Overview

This arXiv paper skill mostly does what it claims, but it has under-scoped persistent prompt editing and local file write/delete behavior that users should review before installing.

Review before installing. This skill contacts arXiv, downloads and parses PDFs, stores configuration and prompt templates under ~/.arxiv-search, caches PDFs, and writes generated analysis data locally. Avoid using prompt-editing commands with arbitrary names unless the package is patched to restrict prompt names to the intended templates and keep writes/deletes inside the prompt directory. Pin dependencies and add cleanup controls for cached PDFs and temp analysis files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill performs file reads/writes and network access but does not declare permissions, which weakens transparency and policy enforcement. Users and the host agent may invoke it without understanding that it can modify local state, read generated files, and fetch remote content from arXiv/PDF URLs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose focuses on searching and analyzing arXiv papers, but the documented behavior also performs onboarding, dependency checks, persistent configuration changes, prompt template management, and temporary file creation. This mismatch can cause users or orchestrators to grant trust to a skill that does materially more than advertised, increasing the chance of unintended system changes.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The statement that the skill runs 'entirely on the local machine' is misleading because the skill explicitly searches arXiv and downloads PDFs over the network. This can cause users to underestimate privacy, telemetry, and supply-chain exposure from remote requests and downloaded content.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The CLI exposes prompt-template read/write/reset operations that are not necessary for the advertised arXiv search, download, and analysis workflow. In an agent setting, this expands the tool's authority to modify future model instructions, creating a prompt-persistence and prompt-injection surface that could be abused to alter later behavior or exfiltrate data through customized prompts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The downloader accepts an arbitrary `pdf_url` from `paper_metadata` and fetches it with `requests.get` without validating that it belongs to arXiv or even that it is a PDF. In an agent context, this can enable server-side request forgery behavior or unintended fetching of attacker-controlled content, which is more dangerous because the skill is expected to handle arXiv papers but the implementation silently trusts external metadata.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger description is broad enough to overlap with common requests about papers, summaries, and analysis, which raises the risk of accidental invocation. In this skill, accidental invocation matters because it can initiate network access, write files, and persist configuration changes without a narrowly scoped user request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs the agent to download PDFs, write temp files, and modify persistent user configuration, but it does not provide clear advance warning or obtain explicit consent for these system and data changes. That makes the skill more dangerous in practice because normal use can silently alter local state and create artifacts on disk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The deep-analysis flow mentions processing a PDF but does not clearly disclose that it will perform network download and local caching/writes. This reduces informed consent and can surprise users in restricted or privacy-sensitive environments, though the action is at least somewhat implied by the paper-analysis context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
arxiv>=2.1.0
pymupdf>=1.23.0
requests>=2.31.0
python-dateutil>=2.8.2
Confidence
92% confidence
Finding
arxiv>=2.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
arxiv>=2.1.0
pymupdf>=1.23.0
requests>=2.31.0
python-dateutil>=2.8.2
Confidence
97% confidence
Finding
pymupdf>=1.23.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
arxiv>=2.1.0
pymupdf>=1.23.0
requests>=2.31.0
python-dateutil>=2.8.2
Confidence
98% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
arxiv>=2.1.0
pymupdf>=1.23.0
requests>=2.31.0
python-dateutil>=2.8.2
Confidence
90% confidence
Finding
python-dateutil>=2.8.2

Known Vulnerable Dependency: pymupdf — 1 advisory(ies): CVE-2026-3029 (PyMuPDF has a path traversal in _main_.py)

Low
Category
Supply Chain
Confidence
91% confidence
Finding
pymupdf

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.