1coos-markdown-converter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Markdown conversion skill that reads a user-selected file, runs an expected converter, and writes a Markdown output file.

Install this only if you are comfortable with uvx downloading the markitdown[all] converter dependencies and with the selected documents being parsed into Markdown. Avoid highly sensitive or untrusted files unless you understand the converter behavior, and note that the instructions mention main.ts while the artifact contains main.js, which may need correction for successful use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger description is broad enough to activate on many ordinary requests involving file conversion, extraction, or document formatting. In an agent setting, over-broad triggering can cause the skill to run unexpectedly on sensitive local files or remote content, increasing the chance of unintended data processing or writes without sufficiently specific user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description and usage guidance do not clearly warn that conversion may create output files and may process sensitive content from local documents, archives, images, audio, or remote sources like YouTube URLs. Users may invoke it without understanding that their data could be extracted, transformed, cached by dependencies, or written to disk in a new location.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal