Arxiv Search

Security checks across malware telemetry and agentic risk

Overview

The arXiv metadata tool includes much broader survey, brainstorming, thesis, and workflow-execution machinery than its narrow description discloses.

Install only if you intentionally want a larger research-workflow bundle, not just arXiv metadata retrieval. Review the bundled pipelines before use, restrict automatic routing, and avoid running it in workspaces where broad output rewrites or shell-capable workflow stages would be unacceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to read workspace files, write output files, invoke a Python script, and use the network, but the metadata only declares binary requirements and does not disclose these operational capabilities as permissions. This creates a transparency and policy-enforcement gap: a caller or platform may treat the skill as low-privilege even though it can access local data, modify files, and perform outbound requests.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file content is wholly unrelated to the declared arXiv metadata-retrieval skill and instead defines a broad graduate-thesis authoring pipeline. This kind of skill/manifest mismatch is dangerous because it can bypass user and platform expectations, causing an agent invoked for narrow metadata collection to perform expansive document analysis, rewriting, and workflow control outside its approved scope.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documented capabilities include thesis reconstruction, TeX writeback, compile/review, style polishing, and citation enhancement, all far beyond a metadata-only retrieval skill. In context, this materially expands the operational authority of the skill, increasing the chance of unauthorized file modification, deceptive task routing, and unsafe execution paths under a misleadingly narrow skill identity.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The pipeline explicitly specifies generating a build report under `output/`, which conflicts with the manifest guardrail stating the skill should only handle metadata and should not write long prose in `output/`. Even if seemingly procedural, this weakens containment guarantees and normalizes output-channel abuse, making it easier for an agent to emit unauthorized reports or derived content under a trusted skill name.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The file is supposed to support an arXiv metadata skill, but instead acts as a general workflow executor that reads unit definitions from workspace data and launches a generic runner for arbitrary skills. In an agent setting, this expands capability far beyond the declared scope and can execute untrusted or unintended actions if the workspace, repo contents, or unit definitions are attacker-controlled.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file implements a large ideation, ranking, and report-generation pipeline rather than a narrowly scoped arXiv metadata retrieval utility. That mismatch is dangerous because agents may invoke the skill expecting constrained metadata handling, but instead trigger broad content synthesis and workspace-writing behavior outside the declared purpose and guardrails.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The code contains direction scoring, screening, shortlist construction, and memo/report payload generation that are unrelated to arXiv metadata retrieval. In an agent setting, this expands capability and side effects beyond what operators expect, increasing the risk of unauthorized analysis steps, unexpected file creation, and policy bypass through misleading skill metadata.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: These routines generate long-form markdown appendices, memos, and structured reports under output paths, directly conflicting with the manifest guardrail that says not to write long prose under output/. This is especially risky because the skill is presented as metadata-only, so downstream systems may trust it with looser review while it actually produces extensive narrative artifacts and modifies the workspace more broadly.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The pipeline is marked as `routing_default: true` with broad routing hints such as `survey`, `review`, and their Chinese equivalents. In an agentic system, this can cause the pipeline to activate for loosely related prompts and trigger a large multi-stage workflow, increasing the chance of unintended file creation, network retrieval, or downstream skill invocation without clear user intent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The file explicitly enables `pre_retrieval_shell` while setting `approval_surface: false`, meaning shell-capable behavior may run without visible user approval or disclosure. Even if intended for workflow automation, hidden shell execution in a skill materially increases risk because upstream routing mistakes or crafted workspace state can lead to unexpected command execution and side effects.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The routing hints are broad enough to match common conversational terms like "idea," "brainstorm," and "找方向," which can cause this pipeline to be selected outside its intended scope. In this pipeline, misrouting is meaningful because it triggers a multi-stage workflow that writes many artifacts and invokes multiple downstream skills, increasing the chance of unintended execution, unnecessary data retrieval, or confusing outputs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal