Back to skill

Security audit

Research Paper Portal

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent academic-paper portal, but its scheduled update script can let externally fetched paper text influence a local shell command.

Review and fix scripts/update-papers.py before running or scheduling it: replace shell=True string execution with argument-list execution or a provider SDK, and restrict the LLM command to an allowlisted tool. Run it in a scoped directory under a low-privilege account, verify the LLM and ComfyUI destinations, and inspect generated JSON before enabling automatic publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
概述:xxx"""

    try:
        result = subprocess.run(
            f'{llm_command} "{prompt}"',
            shell=True,
            capture_output=True,
Confidence
98% confidence
Finding
result = subprocess.run( f'{llm_command} "{prompt}"', shell=True, capture_output=True, text=True, timeout=60 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of file operations, network access, scheduled execution, and shell commands, yet no explicit permissions or safety boundaries are declared. This increases the chance that an agent or user enables powerful actions without understanding that the skill can modify files, contact external services, and execute commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose understates important behavior: it sends paper content to external LLM tooling via a shell command and performs automated publishing actions beyond simple aggregation. Misleading documentation is dangerous because users may provide sensitive content or authorize deployment without realizing third-party data transfer, command execution, and automation are involved.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger phrases are broad enough to match ordinary website or research-assistance requests, which can cause the skill to activate in contexts where the user did not intend automated deployment or publishing. Over-broad invocation increases the risk of surprise side effects such as creating configs, contacting services, or proposing scheduled jobs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic collection, translation, image generation, and scheduled publishing, but does not clearly warn that content may be transmitted to external APIs/services and that the site may be changed automatically on a schedule. Lack of informed consent is risky because users may unknowingly expose data or enable unattended content updates on production systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.