PDF Toolkit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud PDF-processing skill whose main risk is that documents and an optional API key are shared with ComPDF only after user confirmation.

Install only if you are comfortable using ComPDF Cloud for PDF processing. Do not upload highly sensitive documents unless you accept the provider’s handling of them, and save the API key locally only on a trusted device where other users or tools cannot read it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill advertises very broad trigger phrases such as 'process this pdf' and 'handle pdf file', which overlap with many ordinary PDF requests. Because this skill uploads files to a third-party cloud service, unintended invocation could cause users to be steered into unnecessary external transmission flows or expose documents they did not expect to leave the local environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal