Back to skill

Security audit

Trans Doc to Markdown

Security checks across malware telemetry and agentic risk

Overview

This skill coherently converts documents into bilingual Markdown, but users should be aware it can use Lexiang credentials, download remote assets, and optionally send text to Gemini.

Install only if you are comfortable with a document workflow that can use your existing Lexiang MCP token to retrieve documents/assets and can optionally send Markdown text to Gemini when you choose that path. Avoid using it on confidential documents unless those services are approved, and prefer the default non-Gemini workflow for sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Tainted flow: 'download_url' from open (line 153, file read) → urllib.request.urlopen (network output)

High
Category
Data Flow
Content
except (json.JSONDecodeError, UnicodeDecodeError) as e:
            return None, f"invalid asset json: {e}"
        try:
            with urllib.request.urlopen(download_url, timeout=120) as resp:
                data = resp.read()
                if not mime:
                    mime = resp.headers.get("Content-Type", "")
Confidence
93% confidence
Finding
with urllib.request.urlopen(download_url, timeout=120) as resp:

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared description understates important behaviors: remote asset/PDF downloads, possible use of existing credentials for Lexiang access, optional third-party Gemini translation, and validator/extractor side effects. This mismatch can cause operators to invoke the skill under false assumptions about data egress and external access, increasing the risk of unintended disclosure of document contents or authenticated retrieval of protected resources.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill metadata describes document/package conversion and explicitly says publishing is delegated elsewhere, but this script sends document contents to an external LLM service for translation. That capability materially expands the skill's behavior and data exposure beyond the stated scope, creating a hidden exfiltration path for potentially sensitive document contents.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code accesses an external LLM service and reads API credentials in a skill whose declared purpose does not justify that access. Even if the behavior is functionally useful, undeclared credential use and outbound content transfer weaken trust boundaries and can expose sensitive data without operator awareness.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The README instructs users to fetch remote Lexiang documents and PDFs via URLs, which causes network access to external resources, but it does not clearly warn that using the skill may contact third-party systems or retrieve untrusted remote content. In a document-processing skill, this is not inherently malicious, but it creates transparency and data-handling risk because users may not realize external requests will occur or that remote content may be ingested into local processing workflows.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The dependency section states that the Lexiang fetch uses existing credentials and that Gemini may use an API key, but the README does not warn users that the skill may access sensitive local credentials or environment secrets during operation. This is dangerous mainly from a consent and exposure perspective: users may invoke the skill without understanding that it can rely on privileged tokens and external APIs.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill tells users it can process Lexiang links but does not prominently warn that doing so may download remote assets and may rely on pre-existing credentials. That can surprise users into accessing or copying remote content they did not expect to retrieve, especially in environments with ambient authentication.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill explicitly requires Chinese or bilingual Chinese output based on a fixed language-detection rule, without offering a user-controlled language preference or opt-in. This can override user expectations, reduce accessibility for non-Chinese users, and cause unintended disclosure or transformation of content into a language the user did not request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits Markdown content to Gemini without any user-facing notice or confirmation. If documents contain internal text, secrets, proprietary content, or personal data, this causes silent disclosure to a third-party service, which is especially risky given the skill's conversion-oriented framing.

External Transmission

Medium
Category
Data Exfiltration
Content
for attempt in range(3):
        try:
            resp = requests.post(URL, json=payload, timeout=120)
            if resp.status_code == 200:
                data = resp.json()
                return data["candidates"][0]["content"]["parts"][0]["text"]
Confidence
89% confidence
Finding
requests.post(URL, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.