ClawHub
Back to skill

Security audit

arxiv-paper-resolver

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public arXiv papers and saves expected local paper files for translation, with no hidden credential use, destructive behavior, or unrelated access found.

Install in a virtual environment, choose a non-sensitive output directory, and be aware that the skill downloads public arXiv content and saves it locally. Consider pinning or auditing dependency versions before use. If you ask an LLM to translate generated sections, only use papers whose text you are comfortable sending to that model or provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly directs execution of network access, local file creation, and environment-variable-based output selection, yet no explicit permissions or user-consent boundaries are declared. This is dangerous because an agent may perform filesystem writes and external downloads implicitly, increasing the risk of unintended data persistence or network activity outside user expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs automatic remote fetching and local file creation without clearly warning the user that it will access the network and modify the filesystem. In an agent setting, silent downloads and writes are risky because they can surprise users, consume resources, and persist externally sourced content to sensitive locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal