Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a legitimate paper-digest helper, with normal setup and API-key risks users should handle carefully.
Install only if you trust the linked GitHub project and are comfortable with it downloading code, installing Python dependencies, and using an external LLM provider. Use a limited API key, keep .env private, review the downloaded code before running, and check what is using port 8000 before running the stop script.
echo ">> Git not available. Downloading zip to $PROJECT_DIR"
mkdir -p "$PROJECT_DIR"
tmp_zip="$(mktemp -t agentic_paper_digest.XXXXXX).zip"
if command -v curl >/dev/null 2>&1; then
curl -L "$ZIP_URL" -o "$tmp_zip"
elif command -v wget >/dev/null 2>&1; then
wget -O "$tmp_zip" "$ZIP_URL"echo ">> Installing Python deps" pip install -r requirements.txt if [ ! -f ".env" ] && [ -f ".env.example" ]; then cp .env.example .env echo ">> Created .env from .env.example" fi
pip install -r requirements.txt if [ ! -f ".env" ] && [ -f ".env.example" ]; then cp .env.example .env echo ">> Created .env from .env.example" fi
if [ ! -f ".env" ] && [ -f ".env.example" ]; then cp .env.example .env echo ">> Created .env from .env.example" fi echo ">> Done. Edit .env, then run scripts/run_cli.sh or scripts/run_api.sh"
65/65 vendors flagged this skill as clean.
No suspicious patterns detected.