md-docx

Security checks across malware telemetry and agentic risk

Overview

This document converter appears mostly legitimate, but it asks for persistent memory access that is not explained or needed for converting Markdown and Word files.

Review before installing. Use it only for documents you intend to convert, choose or check the output directory, and ask the publisher to remove or clearly justify memory_read and memory_write and to narrow the generic trigger phrases.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger phrases include very generic terms such as '文件转换' and '格式转换', which can match many unrelated user intents and cause the skill to activate outside its narrow md/docx purpose. Over-broad activation is dangerous because it can lead the agent to request, read, or write files in situations where the user did not specifically ask for this skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal