arxiv-daily

Security checks across malware telemetry and agentic risk

Overview

This is a coherent arXiv paper-fetching and scheduled-summary helper, with normal setup risks around local files, chat push routing, and automatic Python dependency installation.

Install this only if you want recurring arXiv fetches and chat pushes. Before enabling it, confirm the arXiv categories, timer schedule, output paths, and push destination; use a virtual environment or preinstall dependencies if you do not want run.sh modifying your global Python environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill describes file-writing and network-fetching behavior but does not declare permissions or clearly scope those capabilities. In an agent environment, undeclared capabilities reduce transparency and can cause the agent to perform external data access or local writes without appropriate user awareness, review, or sandboxing.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script automatically installs Python packages at runtime with `pip3 install requests beautifulsoup4 -q`, which changes the host environment without explicit user consent. In an agent/skill context, this increases supply-chain and environment-integrity risk because executing the skill can unexpectedly pull code from package indexes and mutate shared system state beyond the stated paper-fetching functionality.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The `pip3 install` behavior gives the skill the ability to modify the system Python environment, which is not necessary for simply fetching arXiv papers at runtime. In shared or privileged environments, this can overwrite packages, introduce dependency conflicts, or install untrusted code from external sources, making the skill more dangerous than its narrow stated purpose suggests.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger conditions are broad enough to activate on ordinary discussion about arXiv or papers, which can cause the skill to run in contexts where the user did not intend automation, file creation, or push-configuration handling. Because this skill also performs network access and writes configuration/data files, overbroad invocation increases the chance of unintended side effects and privacy-impacting actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The instructions tell the agent to display the current channel, account, and chat_id to help configure push delivery, but these identifiers can be sensitive routing metadata. Revealing them without an explicit privacy warning, minimization, or confirmation can expose internal account identifiers or destination details to users or logs unnecessarily.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal