论文阅读助手

Security checks across malware telemetry and agentic risk

Overview

This paper-reading skill is mostly purpose-aligned, but it automatically installs Python packages during normal use and persists extracted paper content locally without enough per-run user control.

Review before installing. Use this only if you are comfortable with it installing pymupdf, pdfplumber, and pypdf automatically when missing, and with extracted paper content being saved in the workspace and cached under ~/.workbuddy/cache/readpaper. Prefer running it in a virtual environment or sandbox, and inspect/delete generated cache and report files when handling sensitive papers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (9)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f" 未检测到 {package_name}，正在安装...", end=' ') try: import subprocess subprocess.check_call([ sys.executable, '-m', 'pip', 'install', package_name, '-q', '--disable-pip-version-check' ])
Confidence: 98% confidence
Finding: subprocess.check_call([ sys.executable, '-m', 'pip', 'install', package_name, '-q', '--disable-pip-version-check' ])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes capabilities equivalent to file read, file write, and shell/package execution, but no permissions are declared. This creates a transparency and consent failure: users may invoke a document-analysis skill without realizing it can modify the environment, write outputs and cache files, or execute package installation commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose understates actual behavior by omitting automatic dependency installation and persistent caching under the user's home directory, while also overstating direct report generation. Description-behavior mismatch is dangerous because users and security controls rely on metadata to assess trust, and hidden side effects can lead to unauthorized system changes or data persistence.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Automatically installing Python packages at runtime is not necessary for a paper-reading skill and materially increases attack surface. In this context, the behavior is more dangerous because a seemingly low-risk document-processing skill is granted the ability to change the execution environment and retrieve third-party code, which can be abused through dependency confusion, compromised mirrors, or unexpected privilege contexts.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The natural-language triggers such as '帮我读这篇论文', '总结这篇文献', and '分析这篇论文' are very broad and likely to activate during ordinary conversation, causing the skill to run unexpectedly on user-provided files or links. In this skill's context, unintended activation can lead to local file access, remote fetching, and automatic report generation/saving without sufficiently explicit user confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example shows the assistant automatically generating and saving a report to a local/workspace directory, but the skill description does not clearly warn users that disk writes will occur. In practice, silent file creation can surprise users, overwrite expectations about where data is stored, and persist potentially sensitive derived content from local PDFs without informed consent.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The example demonstrates direct analysis of an external arXiv URL, but the skill description does not prominently warn that it will fetch remote content from third-party sites. This can expose users to unexpected network activity, privacy concerns, and retrieval of untrusted content, though the impact here is lower because the behavior is still somewhat implied by the URL-based usage example.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Automatic dependency installation is a system-modifying behavior that can change the runtime environment, introduce supply-chain risk, and trigger network/package-manager execution without clear warning. In a document-processing skill, this behavior is not inherently malicious, but it becomes risky when performed implicitly rather than through explicit user approval.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script performs an environment-modifying action without any warning or confirmation, violating least surprise and safe-execution expectations for an agent skill. Even if the package names are hardcoded, silent installation can alter system state, break reproducibility, and expose the host to supply-chain risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal