Security audit

PDF阅读助手

Security checks across malware telemetry and agentic risk

Overview

This PDF helper does what it advertises, with no evidence of hidden network access, persistence, credential use, or destructive behavior.

Install only if you are comfortable letting the skill read the PDFs or PDF folders you explicitly provide. Avoid pointing it at broad or sensitive directories, and delete /tmp/pdf_extract.json after use if the agent creates that file during analysis.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs the agent to read arbitrary local PDF paths and process directories, but it declares no corresponding permissions or trust boundaries. This creates a capability mismatch that can lead to unauthorized file access or accidental reading of sensitive local documents when the skill is triggered.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The documentation says extracted content in /tmp/pdf_extract.json is automatically cleaned up, but no cleanup step is actually documented in the workflow. Extracted PDF text may contain confidential material, so leaving it in a predictable temporary file can expose sensitive data to other local users, later processes, or forensic recovery.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases include very broad terms such as 'PDF', '论文', and '文档分析', which can cause the skill to activate in situations where the user did not intend local file processing. In this context, accidental activation is more dangerous because the skill is designed to read local files and batch-process directories, increasing the chance of unintended data access.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation scenarios are broad and ambiguous, covering generic requests like '读论文' and '分析研报' without requiring a clear indication that a local file should be accessed. Because the skill supports directory-wide batch processing and multi-document comparison, ambiguous activation increases the risk of the agent reading unintended documents or overreaching beyond the user's intent.

Natural-Language Policy Violations

High

Confidence: 97% confidence
Finding: The instruction requires that whenever the skill is loaded or a user first mentions a PDF, it 'must' output the provided opening message verbatim, and that message is entirely in Chinese. This forces a specific language regardless of user preference and does not offer opt-in, fallback, or justification for a locale restriction.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal