DOCX TO HTML CONVERTER

Security checks across malware telemetry and agentic risk

Overview

This is a local DOCX-to-HTML converter with ordinary document-copying and dependency-installation risks, but no evidence of hidden or malicious behavior.

Install only if you are comfortable running local Python/Node scripts and npm dependencies. Use it only on DOCX files you intend to process, choose an output path you control, review generated HTML before sharing or indexing it, and delete it when it contains sensitive content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 93% confidence
Finding: The trigger text is extremely broad: it says to always use this skill for any DOCX-related task, including simple mentions of a `.docx` filename. Over-broad invocation can cause the agent to unnecessarily route benign requests into a code-executing conversion workflow, increasing exposure to file handling, shell execution, and unintended processing of sensitive documents.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow tells the user to generate an HTML file and notes that images are embedded as base64, but it does not clearly warn that the output may contain the full document contents, including embedded images and potentially sensitive information. In AI or web contexts, users may then share, render, or index this HTML without realizing they have created a portable copy of the source document's contents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal