Karpathy Wiki

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local research-wiki workflow with optional arXiv paper downloading, not hidden or malicious behavior.

Install this only for a workspace where you want an agent to maintain a persistent research wiki. Use git or backups before ingest or lint operations, review generated edits, and treat downloaded arXiv PDFs as untrusted files. If using the downloader, prefer running the Python helper directly because the shell wrapper has a packaging/syntax problem.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares no permissions, yet its bundled functionality explicitly describes network access to the arXiv API and downloading PDFs. This creates a capability/permission mismatch that can lead to unexpected outbound requests and file writes, which is dangerous in an agent setting because users and policy layers cannot accurately reason about what the skill may do.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The advertised purpose is wiki maintenance and research-note organization, but the skill also performs external paper discovery, filtering, and downloading. That mismatch is risky because users may invoke what appears to be a local knowledge-management skill without realizing it can reach out to external services, fetch untrusted content, and alter the local repository state.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: Bundling external search and PDF download into a skill framed as wiki maintenance broadens the attack surface beyond what the manifest suggests. Even if intended for convenience, it introduces network interaction and ingestion of untrusted remote content, which can trigger privacy, provenance, and repository-integrity issues.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The trigger conditions use broad, everyday phrases such as building a knowledge base or managing notes, which can cause accidental activation in unrelated contexts. In an agent environment, overbroad activation is dangerous because it may initiate file reads, writes, or network-linked workflows when the user did not intend to invoke this skill.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger list lacks clear boundaries and exclusions, making the skill easy to activate for generic research, note-taking, or question-answering tasks. Because the skill is stateful and can modify a persistent wiki, accidental invocation can lead to unintended repository changes and misleading logs or synthesized content.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs the agent to automatically create and update multiple knowledge-base files during ingest, but it does not prominently warn users that persistent local content will be modified. This is risky because users may provide source material expecting analysis only, while the skill performs broad write operations across the repository.

Missing User Warnings

High

Confidence: 91% confidence
Finding: The lint workflow promises to automatically repair detected issues across the wiki without requiring explicit approval for each modification. In a persistent knowledge base, bulk auto-edits can silently rewrite prior content, remove nuance, or propagate model mistakes at scale, making this more dangerous than ordinary formatting cleanup.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The bundled script performs network search and PDF downloads but does not clearly warn about outbound requests, remote content provenance, or local storage effects. This can expose user interests to external services and introduce untrusted files into the workspace without sufficient transparency.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal