Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dataclasses docx pdfplumber pypdf2
- Confidence
- 95% confidence
- Finding
- dataclasses
Ib Summarizer
Security checks across malware telemetry and agentic risk
Overview
This document-processing skill appears purpose-aligned, but its unpinned and vulnerable document parser dependencies make it risky to install for untrusted PDFs or DOCX files.
Install only if you trust the documents being processed or can run the skill in a constrained environment. Prefer a version that pins dependencies, updates or replaces vulnerable PDF/DOCX parsers, and documents input size, timeout, and sandboxing limits.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dataclasses docx pdfplumber pypdf2 python-docx
- Confidence
- 95% confidence
- Finding
- docx
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dataclasses docx pdfplumber pypdf2 python-docx
- Confidence
- 95% confidence
- Finding
- pdfplumber
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
dataclasses docx pdfplumber pypdf2 python-docx
- Confidence
- 98% confidence
- Finding
- pypdf2
Unpinned Dependencies
Low
- Category
- Supply Chain
- Content
docx pdfplumber pypdf2 python-docx
- Confidence
- 98% confidence
- Finding
- python-docx
Known Vulnerable Dependency: pypdf2 — 5 advisory(ies): CVE-2023-36464 (pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a chara); CVE-2023-36807 (PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects); CVE-2023-36810 (PyPDF2 quadratic runtime with malformed PDF missing xref marker) +2 more
High
- Category
- Supply Chain
- Confidence
- 99% confidence
- Finding
- pypdf2
Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)
High
- Category
- Supply Chain
- Confidence
- 99% confidence
- Finding
- python-docx
VirusTotal
66/66 vendors flagged this skill as clean.