机关公文排版skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local Word document formatter that reads a user-chosen .docx file and saves a formatted output file, with no evidence of hidden network access or credential use.

Install only if you want a local script to reformat Word documents. Use a separate output filename to avoid overwriting important files, keep backups for sensitive documents, and install python-docx from a trusted Python environment if it is missing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough to match routine document-editing requests, which can cause the agent to invoke this skill in situations the user did not specifically intend. Because the skill modifies document formatting and writes an output file, overbroad activation increases the chance of unintended file processing or surprising document changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description does not clearly warn users that it will alter Word document formatting and create an output file, reducing informed consent and making unintended modifications more likely. In an agent setting, missing disclosure can lead users to provide sensitive or important documents without realizing the skill performs write-like transformations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal