Converter

Security checks across malware telemetry and agentic risk

Overview

This is a transparent local file-conversion helper, with normal caution needed around local commands and batch file operations.

Install only if you are comfortable with the agent proposing or running local conversion commands on files you specify. Review paths, wildcards, and output locations before execution, keep backups for important files, and approve external services only when you are willing to share the file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example uses `magick mogrify -format webp *.jpg`, which performs batch processing in place and can modify large sets of user files without an explicit warning, backup recommendation, or safer dry-run alternative. In a conversion skill that presents commands as 'Ready to Execute,' this raises the risk of accidental data loss, overwrites, or irreversible workflow mistakes if users run the command in the wrong directory or misunderstand `mogrify` behavior.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad and map to very common user intents such as file conversion, extraction, and format changes. This can cause the skill to activate in more contexts than intended, increasing the chance it is selected for requests involving untrusted files or ambiguous tasks, which expands attack surface for any downstream local tool execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal