多种格式文档转换/图片OCR

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed document-conversion skill that uploads selected files to wdangz.com, so it is suitable only for non-sensitive documents.

Install only if you are comfortable sending chosen files to wdangz.com. Use it for public or non-sensitive documents, avoid contracts, IDs, financial records, credentials, regulated data, and confidential business files, and confirm the exact file and target operation before upload.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The code supports a 'txt_to_voice' conversion mode even though the skill is presented as a document conversion tool. Scope expansion matters because it can cause users to send text content to an external service under misleading expectations, increasing unintended data exposure to a third party.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The invocation examples use broad natural-language triggers like converting 'this Excel' or 'help me convert' without requiring clear confirmation of the exact file, destination format, or acknowledgment of third-party upload. In a skill that uploads local documents externally, ambiguous triggers increase the chance of accidental disclosure or unintended processing of sensitive files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal