Security audit

Arxiv Papers

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward arXiv search helper; the main caveat is that searches are sent to arXiv through a small curl script.

Install this if you are comfortable sending your search terms to arXiv and using a local curl-based helper. Avoid putting sensitive private information in search queries, and only use the optional research log for notes you want retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill invokes a shell script (`scripts/search_arxiv.sh`) but does not declare any corresponding permission or capability boundary. Undeclared shell access is risky because user-controlled query input may flow into command execution or network-fetch behavior without explicit review, making the skill harder to sandbox and audit.

VirusTotal

No VirusTotal findings

View on VirusTotal