arxiv-daily

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real arXiv digest helper, but it needs Review because it can modify the host Python environment and stores chat-routing details without enough scoping or privacy guidance.

Install only if you are comfortable reviewing the scripts first. Run it in a virtual environment or container, preinstall dependencies yourself, and avoid enabling scheduled pushes until you know where channel/account/chat_id values are stored and how to remove them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill documentation describes file writing and network-driven fetching behavior, but no explicit permissions are declared. In an agent ecosystem, missing permission declarations weaken user/admin visibility and consent, making it easier for a skill to access the network and write local data without clear authorization boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 80% confidence
Finding: The documented behavior claims subscription setup, push-time management, and adding new categories, but the described/implemented capability appears limited to local fetching and saving, with undocumented filtering of papers by comments. This mismatch can mislead users and reviewers about what the skill actually does, reducing trust and potentially hiding data-processing behavior they did not expect.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script automatically installs Python packages on the host when imports fail, which modifies the execution environment beyond the stated purpose of fetching and organizing arXiv papers. In an agent or automation context, implicit package installation can introduce unexpected network access, supply-chain risk, privilege side effects, and non-deterministic behavior on the host.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Executing `pip3 install` from the script gives the skill the ability to alter the host software environment, which is disproportionate to a read/fetch task and unsafe in shared or sensitive environments. If run with elevated privileges or in a trusted automation pipeline, this could overwrite packages, pull malicious upstream artifacts, or break other workloads.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The trigger terms are broad enough to activate on loosely related conversations about arXiv, papers, or notifications. Over-broad triggering can cause unintended invocation of a skill that collects preferences, stores files, and may guide push-channel setup, increasing the risk of unnecessary data handling or user confusion.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs collecting and storing push-channel identifiers such as channel, account, and chat_id, but does not specify consent, retention, access controls, or privacy disclosure. These identifiers can be sensitive operational metadata and may enable unintended targeting, disclosure, or misuse if stored insecurely or reused across contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal