Security audit

Markdown to Word

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Markdown-to-Word conversion skill, but users should be aware it can fetch external image URLs and run a local Mermaid renderer.

Install only if you are comfortable with a converter that may contact external servers referenced by Markdown image URLs. Avoid running it on untrusted Markdown in sensitive network environments, and set MMDCCMD only to a trusted Mermaid CLI binary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Tainted flow: 'cmd' from os.environ.get (line 99, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: cmd.extend(["-c", cfg]) print(f"🔧 执行命令: {' '.join(cmd)}") result = subprocess.run(cmd, capture_output=True, text=True, timeout=30) if result.returncode != 0: print(f"⚠️ mmdc 命令执行失败: {result.stderr}")
Confidence: 95% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The changelog shows the skill now automatically downloads external images from HTTP/HTTPS URLs during Markdown conversion. That expands the skill from local document formatting into network-enabled behavior, which can expose users to SSRF-style access, privacy leakage, and processing of untrusted remote content if Markdown input is attacker-controlled.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The function explicitly performs outbound network access to fetch remote images embedded in Markdown. This expands the skill's behavior beyond local document conversion and can leak user IP/addressing metadata to third-party hosts, enable unwanted external connectivity, and expose the tool to server-side request forgery style access if untrusted Markdown is processed in sensitive environments.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: When parsing Markdown image syntax, the code automatically downloads any http/https image reference without additional confirmation or policy checks. In environments where Markdown content is attacker-controlled, this can trigger unsolicited outbound requests and potentially reach internal or sensitive network locations via crafted URLs.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: Automatically downloading external URL images without prominent disclosure creates a privacy and transparency risk because converting a document can unexpectedly contact third-party servers. Even if intended as a convenience feature, silent network access may leak IP address, timing, and document-related metadata, especially in sensitive environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill does not prominently disclose that converting a Markdown file may contact external servers referenced by image URLs. This creates a privacy and supply-chain risk because users may assume offline conversion while the tool silently transmits request metadata and retrieves untrusted content from third parties.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal