pdf-to-latex-mineru

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent MinerU PDF-to-LaTeX helper, but users should understand that documents processed through the MinerU API may leave their machine.

Install only if you are comfortable using MinerU/OpenDataLab for PDF extraction. Do not process unpublished, proprietary, regulated, or otherwise confidential documents unless you have approved sharing them with that service, and verify the npm package or Go repository before installing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly supports URL-based PDF extraction and requires an API token, strongly implying documents may be uploaded to or processed by an external MinerU service, yet it does not disclose that user-supplied document contents could leave the local environment. In this context, users may submit unpublished papers, proprietary manuscripts, or sensitive research documents, so the omission creates a meaningful data privacy and confidentiality risk.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal