Arxiv Paper Downloader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it downloads arXiv PDFs and saves local metadata, with ordinary downloader risks but no evidence of deception or malicious behavior.

Install if you are comfortable with the skill making outbound requests to arxiv.org and creating PDF/JSON files locally. Use a dedicated output directory, pass valid arXiv IDs, and prefer an isolated Python environment with reviewed dependency versions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The skill advertises direct PDF and batch downloads without warning users that it will make outbound network requests and modify the local filesystem. In a downloader skill this behavior is expected, but failing to disclose it can still mislead users and reduce safe review, especially in automated agent environments.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal