PDF to Markdown

Security checks across malware telemetry and agentic risk

Overview

This PDF conversion skill is coherent and purpose-aligned, but users should review the optional remote install command and handle extracted document contents carefully.

Before installing, prefer the pip install path or inspect any remote install script before running it. Process confidential PDFs only in trusted directories, review generated Markdown/JSON/HTML files before sharing them, and delete extracted outputs when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill encourages converting PDFs into local Markdown/JSON/HTML outputs, including OCR for scanned documents, but does not warn that potentially sensitive document contents will be extracted and persisted to disk. In a document-processing skill, this omission materially increases the risk of accidental data exposure, especially for confidential PDFs, because users may not realize OCR text and structured metadata are being saved locally.

VirusTotal

No VirusTotal findings

View on VirusTotal