Back to skill

Security audit

agentic-paper-digest-skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but installation and runtime give unpinned downloaded code access to a local API key and include some broad local side effects users should review first.

Install only if you trust the upstream GitHub project and are comfortable running its latest unpinned code. Use a fresh project directory, review or pin the repository before adding a real API key, use a limited and revocable key, keep the API bound to localhost, and avoid the stop script when another service may be using port 8000.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly instructs the agent to create or edit a local `.env` file and configuration files, which commonly contain API keys and other sensitive settings, without requiring a clear warning, confirmation, or least-privilege handling. In an agentic environment, this can cause accidental overwrites, secret exposure, or unsafe persistence of credentials on disk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs the agent to bootstrap code via git or zip download and to run scripts that depend on network access, but it does not present a clear user-facing warning that external downloads and HTTP requests will occur. This is dangerous because it can lead to unanticipated code retrieval and execution from remote sources, increasing supply-chain and data-exposure risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sources an arbitrary .env file directly into the current shell, which executes shell syntax rather than merely parsing key=value pairs. If an attacker can modify ENV_FILE or the referenced .env content, they can achieve code execution in the user's context before the Python service starts. In an agent skill context, loading undisclosed environment content also increases the chance of quietly importing unsafe or sensitive configuration.

External Transmission

Medium
Category
Data Exfiltration
Content
echo ">> Git not available. Downloading zip to $PROJECT_DIR"
    mkdir -p "$PROJECT_DIR"
    tmp_zip="$(mktemp -t agentic_paper_digest.XXXXXX).zip"
    if command -v curl >/dev/null 2>&1; then
      curl -L "$ZIP_URL" -o "$tmp_zip"
    elif command -v wget >/dev/null 2>&1; then
      wget -O "$tmp_zip" "$ZIP_URL"
Confidence
85% confidence
Finding
curl >/dev/null 2>&1; then curl -L "$ZIP_URL" -o "$tmp_zip" elif command -v wget >/dev/null 2>&1; then wget -O "$tmp_zip" "$ZIP_URL" else "$PY_BIN" - "$ZIP_URL" "$tmp_zip" <<

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.