Paperless-ngx Document Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Paperless-ngx document-management helper, with expected access to the configured Paperless account and documents.

Install only if you are comfortable giving the agent the same Paperless-ngx access as the configured token. Use a limited Paperless account or token if possible, confirm uploads, metadata creation, bulk edits, and deletes before running them, and choose explicit safe paths for downloads.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The script exposes a write capability (`--create` document type) that is broader than the skill description, which only advertises search, upload, tag, and retrieve operations. In an agent setting, undocumented mutation capabilities increase the risk of unintended or unauthorized changes because users and policy layers may grant trust based on the narrower manifest description.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal