Back to skill

Security audit

PaperBanana

Security checks across malware telemetry and agentic risk

Overview

The skill has a plausible diagram-generation purpose, but the packaged runner depends on missing project code and can run unreviewed modules from the surrounding environment.

Review before installing. Use this only with the complete, trusted PaperBanana/PaperVizAgent project, not as a standalone three-file skill. Avoid confidential unpublished material unless the provider data policy is acceptable, use limited-scope API keys, and expect first-run dataset downloads plus potentially expensive parallel model calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill performs automatic network access and downloads data when local files are absent, but the user-facing description does not clearly disclose this side effect before execution. While the destination is fixed and the transfer is announced at runtime, silent-by-default network behavior can violate user expectations and policy constraints in restricted environments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User-supplied content from --content or --content-file is passed into a multi-agent pipeline configured with external models, but this file provides no disclosure that the text may be transmitted to remote model providers. For academic manuscripts or unpublished methods, this can create confidentiality and data-governance risk even if the behavior is functionally expected.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.