Arxiv Skill Learning

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but needs review because it can run generated shell commands and persist generated skill work in the user's workspace.

Install only if you intentionally want a workflow that can generate and test new skills in your workspace. Before running it, review and pin the sibling arxiv-paper-reviews and arxiv-skill-extractor modules, require manual approval for any generated smoke-test command, and avoid enabling any hourly or automatic run until generated skills are reviewed before commit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill executes `extractionResult.smokeTestCommand` via `execAsync`, and that command is produced by another component based on untrusted paper-derived content. This creates a direct command-execution path that can run arbitrary shell syntax in the workspace, enabling code execution, file modification, secret access, or persistence far beyond a simple orchestration role.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The absolute-path `require` is not dangerous by itself, but here the code loads an extractor and then trusts its output enough to execute a returned shell command. In this context, the 'safe' framing is misleading because the extractor is effectively a trusted code-and-command source, so compromise or malicious behavior in that module can directly lead to arbitrary command execution.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill advertises an automated learning workflow that ultimately writes and commits newly generated skills into the workspace, but the description does not clearly warn users about this state-changing behavior. Because the source material is external arXiv content and the pipeline includes code generation and solidification, a user could invoke it expecting analysis-only behavior and unknowingly allow untrusted artifacts to be persisted and committed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal