research-paper-pdf-translator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it extracts text from a user-provided research PDF so an agent can translate and summarize it, with some privacy and temporary-file cautions.

Install only if you are comfortable sending the full PDF text into the agent conversation. Avoid running it in a directory containing an important file named temp_paper_for_translation.txt, and install poppler-utils/pdftotext from a trusted package source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill writes a predictable temporary file into the same directory as the input PDF and later deletes it, without isolating the file in a secure temp location. This can expose extracted document contents on disk, cause unintended overwrite/collision with an existing file of the same name, and create race/symlink risks if run in shared or untrusted directories.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill prints the full extracted PDF text and the original filesystem path directly to stdout, which can leak sensitive document contents and path metadata into agent logs, transcripts, or downstream systems. In an agent environment, stdout is often captured and forwarded, so this behavior materially increases the risk of data exfiltration from potentially confidential PDFs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal