Paperzilla CLI

Security checks across malware telemetry and agentic risk

Overview

This is a normal Paperzilla CLI helper, but using it means trusting Paperzilla, logging in, and protecting tokenized feed URLs.

Install only if you trust Paperzilla and its distribution channels. Be especially careful with the Linux install because it places a downloaded binary in your system path, and do not share Atom feed URLs because anyone with the embedded token may be able to access that feed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to generate an Atom feed URL containing an embedded token, but it does not warn that the URL is effectively a bearer secret. Such URLs are commonly copied into chat logs, shell history, browser history, screenshots, or shared with third-party feed readers, which could allow unauthorized access to the user's feed if exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal