Sgr arXiv Day

Security checks across malware telemetry and agentic risk

Overview

This is a small arXiv-reporting skill whose file output and Chinese report format are disclosed and aligned with its stated purpose.

Install this if you want a Chinese daily arXiv digest and are comfortable with it using arXiv search through the referenced watcher skill and writing the result to the report directory. Check for an existing file with the same date if overwriting would matter.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly writes a file to `report/YYYY-MM-DD_daily.md` but does not disclose that it will modify the workspace or ask for user approval first. In agent environments, silent filesystem writes can surprise users, overwrite existing content, or be chained with automation in ways that create unintended side effects.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The skill mandates Chinese output regardless of user preference, which can reduce transparency and informed review if the user expects another language. While not directly enabling code execution or data exfiltration, forced locale can cause misunderstandings about report contents and file outputs, especially in multilingual or compliance-sensitive workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal