HF Daily Papers (OFR Edition)

Security checks across malware telemetry and agentic risk

Overview

This skill fetches public research paper listings, writes local digest files, and can send a disclosed Telegram digest when the user configures it.

Install if you want an automated research-paper digest. Before enabling Telegram or a cron schedule, confirm the target chat/channel, test privately first, and review the optional proxy setting so traffic goes through a proxy you control.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 92% confidence
Finding: The skill explicitly documents writing output files and optionally pushing content to Telegram, but it does not warn users about these side effects or require clear confirmation. In an agent setting, silent file creation and outbound messaging can cause unintended data disclosure, spam, or operational surprises even if the content is only paper recommendations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal