speech-paper-daily

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates finding speech papers and creating a Tencent Docs report, with notable but disclosed local execution and cloud-document side effects.

Install only if you want this skill to create Tencent Docs reports when invoked. Confirm that folder ID YUsookchBhki and the local mcporter Tencent Docs account are the intended destination before using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill explicitly instructs the agent to generate and execute a local Python script that invokes a subprocess, which unnecessarily expands the capability from document writing into arbitrary code execution. Even if the current example only wraps a Tencent Docs API call, allowing `exec` plus script creation creates a dangerous primitive that can be repurposed if upstream content, tool behavior, or future edits are influenced by untrusted data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill performs external document creation and local Python/subprocess execution without requiring an explicit consent or warning step. In context, this increases the risk of silent side effects such as publishing content or invoking tooling on behalf of the user when they may have only intended to browse papers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal