Doc Weaver

Security checks across malware telemetry and agentic risk

Overview

This skill appears locally scoped and non-malicious, but it materially overstates its document-generation capabilities and may create fake .docx or .pdf files that are actually plain text.

Install only if you are comfortable treating this as a local Markdown preview/styling helper, not a real Word/PDF generator. Verify any produced .docx or .pdf files before relying on them in workflows, archives, signatures, or reviews.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: A skill that claims to generate real .docx and PDF files but actually produces styled Markdown or text creates a trust and integrity problem: users may rely on output format guarantees that are not met, causing downstream automation, review controls, or archival processes to fail silently. In document-generation workflows, this mismatch can also mislead users about what tools are invoked and what files are created, increasing the chance of operational errors or unsafe assumptions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal