Security audit

arxiv-weekly-report

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed arXiv report generator, but users should be aware it saves local reports/cache files and its PDF helper can fetch arbitrary PDF URLs if invoked that way.

Reasonable to install if you want automated arXiv weekly reports. Expect it to access arXiv over the network, possibly install pypdf, download selected PDFs, and leave Markdown reports plus optional PDF/text cache files under ~/.openclaw/skills/arxiv-weekly-report. Use arXiv IDs or trusted arxiv.org PDF links only, and avoid invoking --pdf-url with arbitrary or untrusted URLs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill instructs the agent to read local files, write Markdown reports to disk, and access the network, but it declares no permissions or consent model for those capabilities. This creates a transparency and authorization gap: a user may invoke what appears to be a simple summarization skill without realizing it can persist data locally and fetch remote content.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior says the skill searches arXiv and generates a weekly report, but the described implementation also downloads PDFs, extracts full text, and saves local cache/output files while not actually implementing some of the promised analysis steps. This mismatch is dangerous because users and policy systems may approve the skill under a narrower trust model than the actions it really performs, enabling unexpected data transfer and persistence.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script accepts arbitrary --pdf-url input and, when it cannot parse an arXiv ID, uses the provided URL directly for download. In the context of an agent skill meant for arXiv weekly reporting, this expands capability to arbitrary remote fetching, which can be abused for unintended outbound access, retrieval of attacker-controlled content, and processing of untrusted PDFs beyond the declared scope.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The download and parse flow will fetch attacker-supplied remote PDFs and pass them into a PDF parser, creating a broader attack surface than needed for arXiv reporting. Even without code execution in this script, arbitrary remote retrieval can enable SSRF-like outbound requests to unexpected hosts and expose the system to malicious or malformed PDF content handled by third-party parsing code.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill mandates writing the generated report into a fixed local directory without warning the user or asking for confirmation. Unprompted persistence can leak sensitive research interests, create unwanted local artifacts, and violate least-surprise expectations for a search/summarization workflow.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instructions require creating a directory and saving Markdown files persistently, but they do not provide a clear warning about local data retention or the security implications of stored content. This increases the risk of unintended persistence, especially in shared environments or when report content may reveal sensitive topics of interest.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal