PDF Converter

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed PDF conversion skill that uses a third-party SDK and downloads required license/model files, with no artifact evidence of hidden exfiltration or destructive behavior.

Install only if you trust ComPDF/PDF Technologies and are comfortable with a proprietary SDK, a first-run network download, and a roughly 525 MB local model cache. Avoid using it in strict offline or sensitive-document environments unless you pre-provision the license/model files and control network access. Provide PDF passwords only when necessary and avoid placing them in reusable prompts, logs, or shell history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill declares no required permissions, but the documentation clearly describes environment variable access, local file reads/writes, and automatic network downloads of a license and AI model. This is dangerous because users or hosting agents may trust the declared metadata and invoke the skill in a more permissive way than intended, leading to unexpected outbound network activity and filesystem changes.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The advertised behavior does not match the documented behavior: the skill claims XML support that is not actually present, omits additional formats and image inputs, and fails to surface that it downloads remote files and enforces license logic. This mismatch is security-relevant because operators may approve or sandbox the skill based on incomplete or inaccurate expectations, exposing systems to unexpected network access, file writes, and supply-chain risk from downloaded artifacts.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill automatically downloads a license file and AI model from the network at runtime, even though its primary purpose is local document conversion. This expands the trust boundary to remote infrastructure and creates supply-chain and privacy risks, especially because the downloaded artifacts are accepted based only on existence/non-empty checks rather than cryptographic verification or explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This code performs remote fetching of license/model resources in a document conversion utility, which is more dangerous than the skill description suggests because execution may contact external servers and store downloaded content locally. In environments handling sensitive PDFs, unexpected network access can violate isolation assumptions and expose users to dependency compromise or operational data leakage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description lacks a prominent warning that first use may automatically download files from remote servers and write them into the local scripts directory. This is risky because automatic retrieval of executable/consumed resources at runtime introduces supply-chain and integrity concerns, and users may unknowingly run the skill in restricted or sensitive environments where such writes and network calls are unacceptable.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal