Back to skill

Security audit

Pdf Label Made In China

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear PDF-labeling purpose, but it tells the agent to run an unpinned package install with sudo and depends on a script outside the reviewed artifact.

Review before installing. The PDF-labeling workflow itself is understandable, but you should avoid running the sudo pip install as written and confirm the referenced add_made_in_china.py script is present and trustworthy before using the skill on business labels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
## 注意事项

- 始终先用 `sudo pip3 install PyPDF2 -q` 确保依赖已安装
- 输出文件命名建议:`原文件名_modified.pdf`
- 多类型PDF:脚本自动通过条形码识别每页类型,无需手动分页
- 字体默认 Helvetica 8号,FBA标签可用 11号(`--font-size 11`)
Confidence
97% confidence
Finding
sudo

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.