Security audit

Paper2diagram

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only paper-analysis skill that clearly discloses use of user-configured AI gateways, though users should avoid sending sensitive PDFs to gateways they do not trust.

Install only if you are comfortable sending the selected PDF or extracted paper content to your configured Gemini and Banana gateways. Review the separate workflow repository before running it, use a virtual environment or container, and avoid unpublished, proprietary, or regulated papers unless the gateway is trusted and approved for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

External Transmission

Medium

Category: Data Exfiltration
Content: - **需要网络访问**：连接到你自己配置的 LLM / 图像网关（例如 dongli gateway） - **环境变量**（可以在 OpenClaw 的 `skills.entries.paper2diagram.env` 中配置，也可以在 shell 中设置）： - `GEMINI_API_KEY` - `GEMINI_BASE_URL`（示例：`https://api.dongli.work/v1beta`） - `GEMINI_MODEL`（示例：`gemini-3-pro`） - `BANANA_PRO_API_KEY` - `BANANA_PRO_BASE_URL`（示例：`https://api.dongli.work`）
Confidence: 88% confidence
Finding: https://api.dongli.work/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal