Back to skill

Security audit

Pdf Extractor Skill

Security checks across malware telemetry and agentic risk

Overview

This PDF extraction skill is mostly purpose-aligned, but its optional LLM mode can send document content to a third-party service using a bundled API key without clear disclosure.

Review before installing. Use only the local Marker or Nougat modes for private, unpublished, regulated, or proprietary PDFs. Avoid --ark-code-latest unless you are comfortable sending document content to Volcengine/OpenAI-compatible services, and remove or replace the embedded key so remote processing uses an explicit credential you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code comment claims secrets are not hardcoded, but the fallback value embeds a live-looking API key directly in source. Hardcoded credentials are dangerous because anyone with repository or package access can reuse the key, and the script will silently authenticate remote requests with it when LLM mode is enabled.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly recommends using an API-backed enhancement mode ('--ark-code-latest' and OpenAI-compatible options) for PDF conversion but does not warn that document contents may be transmitted to a remote service. Because PDFs may contain unpublished research, proprietary data, or sensitive personal information, users could unknowingly exfiltrate content off-host during extraction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code sends prompt text and image contents to an OpenAI-compatible HTTP service at a configurable endpoint, which can expose sensitive user data to another process or service without any explicit consent, disclosure, or data-classification guardrails in this component. Although the default endpoint is localhost, it is still an external service boundary from the application's perspective, and prompts/images may contain confidential document data.

Missing User Warnings

High
Confidence
98% confidence
Finding
This script contains an embedded fallback API key and later uses it to configure a remote OpenAI-compatible service, enabling outbound transmission under bundled credentials. That creates both credential exposure and unexpected third-party processing of PDF contents, which may include sensitive documents.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When LLM hybrid mode is enabled, the script forwards configuration for an external model service without an explicit privacy warning or consent barrier. In the context of a PDF extraction tool, users may process confidential academic, corporate, or personal PDFs and not realize content could leave the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal