Paper Kb

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent paper knowledge-base integration, but it ships and uses high-impact Gitea admin access and broad remote-storage behavior without enough scoping or safety controls.

Review carefully before installing. Do not use the bundled Gitea admin token; rotate it if it was ever valid, require HTTPS, and replace admin-wide repository creation with least-privilege access. Users should be told explicitly that their identity mapping, paper metadata, generated notes, and PDFs may be stored in Gitea and Feishu, and the PDF upload path should be restricted to files produced or uploaded for the current request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Low

Confidence: 79% confidence
Finding: The query tool returns Feishu bitable identifiers (app_token/table_id) alongside paper index data, exposing integration secrets/handles beyond what is necessary to answer a knowledge-base query. If downstream prompts, logs, or other tools can access these values, they could be reused to read or modify the user's Feishu data outside the intended query workflow.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The save action accepts paper_data['pdf_local_path'] and uploads whatever local file exists at that path into the user's remote Gitea repository, with no validation that the file is actually a user-provided PDF or confined to a safe upload directory. Because the skill also falls back to predictable /tmp paths, an agent or upstream component could cause unintended local file exfiltration to a remote service, which exceeds the stated paper-ingestion purpose.

Description-Behavior Mismatch

Medium

Confidence: 78% confidence
Finding: The script stores Feishu bitable identifiers and URLs in a centralized users.json, but this capability is not reflected in the skill description or apparent paper-KB scope. Undisclosed collection of external service configuration expands the data surface and can expose sensitive integration metadata if the system repo is misconfigured or accessed by unauthorized operators.

Context-Inappropriate Capability

Medium

Confidence: 73% confidence
Finding: The code reads and writes a centralized system repository containing all users' metadata mappings. Centralized cross-user state increases the blast radius of any repository misconfiguration, token compromise, or code path that writes incorrect entries, potentially exposing or corrupting multiple users' data associations.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The get_index action returns unrelated user configuration fields, including Feishu app/table identifiers and repository metadata, even though a paper index query only needs paper listing information. This violates least-privilege data exposure and can leak internal integration details that could aid follow-on attacks, cross-system enumeration, or unauthorized access attempts if downstream components log or expose the response.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: This client can create repositories through the Gitea admin API on behalf of arbitrary users, which exceeds the stated paper knowledge-base scope and introduces privileged account-management behavior into the skill. In a user-facing storage/query skill, unnecessary admin capabilities materially increase blast radius if the skill is misused, compromised, or triggered with attacker-controlled parameters.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The code exposes user existence checks against the Gitea instance, which is unrelated to storing and querying papers and can be used for account enumeration. Even if seemingly harmless, enumeration aids follow-on attacks such as credential stuffing, targeted phishing, and discovery of valid internal usernames.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow collects and stores user identity data such as `open_id`, Gitea username, and display name, and links them across systems without an explicit persistence and visibility warning. This is risky because users may not realize their identifiers are being permanently mapped in `users.json` and associated with external repositories and Feishu resources.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill processes uploaded PDFs and arXiv content, extracts full text, and uploads derived or original content to external systems (Gitea and Feishu) without an explicit privacy/storage warning or consent checkpoint. This is dangerous because users may unknowingly cause copyrighted, sensitive, or unpublished material to be stored externally and linked to their identity.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The save flow writes generated markdown and optional PDF content to a remote Gitea repository tied to the user, but there is no explicit consent checkpoint or disclosure in the code path about remote persistence. In a skill handling academic papers, remote upload is core functionality, yet silent persistence still creates privacy and data-governance risk, especially if the content contains proprietary manuscripts or extracted full text.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Feishu app tokens, table IDs, and URLs are persisted directly into users.json without any indication in this code of consent, minimization, masking, or special handling. If the central repository is exposed, these identifiers could enable unauthorized access to linked Feishu resources or facilitate targeted abuse of the integration.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The code directly returns Feishu integration data including feishu_app_token, table ID, and table URL to the caller without any demonstrated need for the query operation. If this token is valid for API access, exposing it could enable unauthorized access to the user's Feishu data or facilitate broader compromise of connected resources.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal