Back to skill

Security audit

Arxiv Paper Reviews

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward arXiv API client, but users should know it sends review content and author names to a disclosed plain-HTTP server.

Install only if you trust the operator of http://150.158.152.82:8000. Do not submit confidential review text, private author names, credentials, or sensitive paper notes because comment content and author names are sent to that external server over plain HTTP.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents file and network-capable behavior, including reading local configuration and making HTTP requests to an external API, but does not declare corresponding permissions. Undeclared capabilities reduce transparency and can cause the agent or user to invoke external network access and local file reads without clear consent boundaries.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The activation text is broad enough to match many generic arXiv-related tasks, which can cause the skill to trigger in situations where the user did not intend to use this external service. Because the skill supports outbound HTTP requests and public comment submission, over-broad triggering increases the chance of unintended data disclosure or unwanted external actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to submit comment text and author names to a public external API but does not clearly warn that this information will leave the local environment and be stored or processed by a third-party service. This creates a meaningful privacy and consent risk, especially if users provide sensitive content, identifying information, or LLM-generated text they did not intend to publish publicly.

External Transmission

Medium
Category
Data Exfiltration
Content
"author_name": author_name
    }

    response = requests.post(
        url,
        headers={"Content-Type": "application/json"},
        json=data
Confidence
84% confidence
Finding
requests.post( url, headers={"Content-Type": "application/json"}, json=

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
config.json:2