Back to skill

Security audit

llm-researcher

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed LLM research helper that fetches public research sources, uses MinerU for PDF conversion, and writes a local report.

Install this only if you are comfortable using a MinerU API key and having selected paper PDF URLs processed by MinerU. Avoid using it with private, internal, or access-controlled PDFs unless you intend to send those documents or URLs to that third-party service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script submits a user-supplied PDF URL to the third-party MinerU API, which means URLs and referenced documents are disclosed to an external service without any explicit warning, consent prompt, or trust boundary enforcement. In a research-agent context, this is more dangerous because users may provide private preprints, internal documents, or sensitive URLs expecting only local processing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.