Back to skill

Security audit

Academic Survey Self Improve

Security checks across malware telemetry and agentic risk

Overview

This survey-generation skill is mostly coherent, but it needs review because it automatically compiles user or arXiv-derived LaTeX locally and can overwrite user documents without strong safeguards.

Install only if you are comfortable with a tool that contacts arXiv, writes local TeX/PDF files, and runs pdflatex on generated or supplied documents. Use a constrained output directory, keep backups before using improvement commands, avoid unattended hourly scheduling unless you intend ongoing file creation and network traffic, and manually verify citations and academic claims before relying on the generated surveys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _compile_pdf(self, tex_file):
        try:
            for _ in range(2):
                subprocess.run(
                    ['pdflatex', '-interaction=nonstopmode', str(tex_file)],
                    cwd=str(tex_file.parent),
                    capture_output=True,
Confidence
90% confidence
Finding
subprocess.run( ['pdflatex', '-interaction=nonstopmode', str(tex_file)], cwd=str(tex_file.parent), capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _compile_pdf(self, tex_file):
        try:
            for _ in range(2):
                subprocess.run(
                    ['pdflatex', '-interaction=nonstopmode', str(tex_file)],
                    cwd=str(tex_file.parent),
                    capture_output=True,
Confidence
94% confidence
Finding
subprocess.run( ['pdflatex', '-interaction=nonstopmode', str(tex_file)], cwd=str(tex_file.parent), capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _compile_pdf(self, tex_file):
        try:
            for _ in range(2):
                subprocess.run(
                    ['pdflatex', '-interaction=nonstopmode', str(tex_file)],
                    cwd=str(tex_file.parent),
                    capture_output=True,
Confidence
88% confidence
Finding
subprocess.run( ['pdflatex', '-interaction=nonstopmode', str(tex_file)], cwd=str(tex_file.parent), capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            tex_path = Path(tex_path)
            for _ in range(2):
                subprocess.run(
                    ['pdflatex', '-interaction=nonstopmode', str(tex_path)],
                    cwd=str(tex_path.parent),
                    capture_output=True,
Confidence
87% confidence
Finding
subprocess.run( ['pdflatex', '-interaction=nonstopmode', str(tex_path)], cwd=str(tex_path.parent), capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""编译 PDF"""
        try:
            for _ in range(2):
                subprocess.run(
                    ['pdflatex', '-interaction=nonstopmode', str(tex_file)],
                    cwd=str(tex_file.parent),
                    stdout=subprocess.DEVNULL,
Confidence
88% confidence
Finding
subprocess.run( ['pdflatex', '-interaction=nonstopmode', str(tex_file)], cwd=str(tex_file.parent), stdout=subprocess.DEVNULL

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _compile_pdf(self, tex_file):
        try:
            for _ in range(2):
                subprocess.run(
                    ['pdflatex', '-interaction=nonstopmode', str(tex_file)],
                    cwd=str(tex_file.parent),
                    capture_output=True,
Confidence
87% confidence
Finding
subprocess.run( ['pdflatex', '-interaction=nonstopmode', str(tex_file)], cwd=str(tex_file.parent), capture_output=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises capabilities that imply file reads/writes, network access, and shell execution, but it does not declare permissions or clearly bound those actions. This is dangerous because users and hosting platforms cannot make an informed trust decision, especially when the documented workflow includes unattended execution, PDF compilation, and external API access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior overstates and partially misrepresents what the skill does, including quality guarantees, automation guarantees, and the nature of evaluation/improvement logic. Misleading behavior descriptions are security-relevant because users may grant trust, automation, or broad execution rights under false assumptions about reliability, scope, and safeguards.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill invokes a local compiler subprocess as part of processing remote and user-influenced content, expanding its attack surface beyond simple text generation. In this context, academic survey generation does not inherently require privileged local process execution, and the subprocess becomes materially riskier because it compiles attacker-controllable TeX content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill performs external process execution as part of normal operation, which expands the attack surface beyond simple text generation. In combination with attacker-influenced TeX content, this can turn a content-generation tool into a local command/file-processing primitive, making the capability more dangerous than the manifest suggests.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
This skill's stated purpose is document generation, but it escalates to executing a local compiler process without necessity controls, isolation, or trust checks. In context, that stronger capability materially increases risk because the compiler is fed content derived from remote data and writes files on the local system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes automated generation and maintenance of output/history files without warning users that it will create and modify local files. In an agent setting, silent filesystem changes can lead to unexpected disk usage, overwrites, accumulation of generated content, or leakage through saved artifacts.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The documentation describes live arXiv queries and metadata retrieval but does not clearly disclose network usage or the fact that user-provided topics may be sent to an external service. This matters because users may assume local-only operation and inadvertently expose research interests or generate unexpected outbound traffic.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cron example encourages unattended hourly execution without cautioning about recurring network traffic, repeated file creation, LaTeX compilation, and cumulative resource consumption. In practice this can create operational risk, fill storage, and repeatedly contact external services without user awareness.

Missing User Warnings

Low
Confidence
74% confidence
Finding
Executing pdflatex without explicit disclosure is not just a transparency concern here because the command processes untrusted remote content and can consume significant local resources or trigger dangerous TeX behavior. In the context of this skill, hidden local command execution makes the risk more serious than a generic warning omission.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill automatically executes a local compiler on generated content with no warning, consent, or review step. In this context, because the LaTeX includes untrusted remote text, removing human review increases the chance that malicious or malformed input reaches the compiler and triggers file disclosure, command execution, or denial-of-service behaviors.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill repeatedly overwrites the provided `.tex` file in place without backup, preview, or confirmation. In an agent setting, this can destroy user content, corrupt important documents, or silently inject changes that later get compiled or shared, making the behavior unsafe even if not traditionally exploitative.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Running `pdflatex` without a clear user warning or explicit consent is dangerous because it executes a complex external toolchain on attacker-controlled document content. In this skill's context, the danger is increased because the same workflow first mutates the document and then automatically compiles it, creating an end-to-end path from untrusted input to external processing.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill silently executes pdflatex as part of normal operation, so a user invoking survey generation may unknowingly trigger local code-like processing on untrusted document content. Lack of warning or confirmation increases the chance that this higher-risk action occurs in unsafe environments and reduces opportunities to apply safer defaults.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.