Back to skill

Security audit

Ifc To Excel

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed IFC-to-Excel conversion helper with expected filesystem access and no evidence of hidden data theft, persistence, or destructive behavior.

Install this only if you are comfortable letting the agent read IFC files and write conversion outputs in folders you choose. Use a trusted IfcExporter or IfcOpenShell installation, verify converter and input paths before running batch jobs, and review generated files before sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Low
Confidence
87% confidence
Finding
This markdown file documents converting IFC files into `.xlsx` and `.dae` outputs, which affects user data and filesystem state, but it does not include any warning about where files are written or whether existing outputs may be overwritten. For markdown files, the skill description should disclose behaviors that can affect user data or system integrity.

Unvalidated Output Injection

High
Category
Output Handling
Content
if not export_collada:
            cmd.append("-no-collada")

        result = subprocess.run(cmd, capture_output=True, text=True)

        if result.returncode != 0:
            raise RuntimeError(f"Export failed: {result.stderr}")
Confidence
85% confidence
Finding
subprocess.run(cmd, capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.