Back to skill

Security audit

paper-research-assistant

Security checks across malware telemetry and agentic risk

Overview

This paper-research helper is mostly aligned with its purpose, but one scaffold generator can write files outside the chosen output folder when paper metadata is crafted.

Install only if you are comfortable reviewing generated files before running them. Use a dedicated temporary output directory, avoid scaffolding from untrusted PDFs or JSON metadata, inspect generated paths and requirements.txt, and do not run generated training code until you have reviewed it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of local file paths and writes outputs to temporary locations, which implies file read/write capability without any declared permission model or user-consent boundary. In an agent setting, this can lead to unintended access to sensitive local documents or uncontrolled creation of files if the runtime assumes undeclared capabilities are allowed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.