Back to skill

Security audit

pdf-nano

Security checks across malware telemetry and agentic risk

Overview

This PDF skill is mostly a normal document utility, but one form-filling path can silently make persistent font and rendering changes on the host system.

Install only if you are comfortable with a broad local PDF-processing skill. Use copies of important PDFs, avoid elevated privileges, only decrypt documents you are authorized to access, and review or disable the annotation form-filling font installation/cache behavior before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if cmd:
            try:
                import subprocess
                subprocess.run([cmd, "-f", str(target_dir)], check=False)
                break
            except Exception:
                pass
Confidence
93% confidence
Finding
subprocess.run([cmd, "-f", str(target_dir)], check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly demonstrates file reads, file writes, and shell command usage, but the metadata does not declare any permissions or constraints for those capabilities. This creates a transparency and governance gap: an orchestrator or reviewer may invoke the skill without understanding that it can modify local files or execute external tools, increasing the risk of unintended file access or command execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The 'Cross-engine text rendering stabilization' section introduces host-level maintenance actions such as rebuilding font state, reconciling shared font indexes, changing cache ownership/writeability, and registering fonts in machine-visible locations. Those steps go beyond normal PDF processing and can prompt an agent to modify shared system configuration under the guise of routine rendering recovery, creating a path to unauthorized persistence or broader host tampering.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation frames system-configuration changes as ordinary rendering troubleshooting and even says to keep recovery 'silent' unless repeated attempts fail. That wording obscures the true scope of actions affecting shared machine state, reducing operator scrutiny and increasing the likelihood that an agent will perform risky host modifications without meaningful visibility or consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code copies `.ttf`/`.otf` files from nearby `assets/fonts` directories into user or system font locations and refreshes font caches, despite the skill only needing to annotate PDFs. That behavior is unrelated to the stated purpose, creates persistence outside the workspace, and allows attacker-controlled content near the processed document to influence host state and downstream font processing.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation text is extremely broad: it says to use the skill whenever the user wants to do anything with PDFs or even merely mentions a .pdf file. Overly broad routing can cause the skill to trigger in unintended contexts, which is risky here because the skill includes filesystem operations and shell-based tooling that may then be applied to local documents without sufficiently deliberate user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide includes a direct example for decrypting password-protected PDFs but provides no warning that this should only be done on files the user is authorized to access. In a general-purpose automation skill, that omission normalizes potentially sensitive or policy-violating behavior and can lead to unauthorized handling of protected documents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference includes concrete commands for decrypting PDFs and removing password protection but does not state that these actions must only be performed on documents the user owns or is explicitly authorized to modify. In an agent skill context, omission of authorization and credential-handling guidance can normalize misuse and lead an automated system to help bypass document protections on third-party files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The troubleshooting section shows password-based decryption in code without any warning about lawful use, secure credential entry, or secret exposure risks. Because this is a PDF skill intended for broad file-handling tasks, the example could cause an agent to solicit, expose, or process sensitive passwords unsafely while assisting with access to protected documents.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently writes font files into `~/.local/share/fonts` or system font directories with no warning, consent, or cleanup. In a PDF-processing skill, such hidden persistence is especially concerning because a user would reasonably expect only document transformation, not host environment modification.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.