Back to skill

Security audit

TextIn xParse Document Parse

Security checks across malware telemetry and agentic risk

Overview

The skill is for document parsing, but it needs review because it can send local documents and passwords to an external service and recommends risky installer and credential practices.

Review before installing. Use only with documents you are allowed to send to TextIn/xParse, avoid confidential or regulated files unless that provider relationship is acceptable, verify the remote installer before running it, and protect XPARSE_APP_ID, XPARSE_SECRET_CODE, document passwords, and parsed output files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guidance makes clear that document parsing is performed through free or paid remote APIs and includes credentialed authentication paths. For a skill framed as parsing user-provided local documents, this materially changes the trust boundary because sensitive document contents may be transmitted to an external service without prominent disclosure or consent guidance.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Including authenticated remote API setup and secret-based usage expands the capability from simple document conversion to cloud-backed processing with account-scoped access. That is risky because users may assume local-only handling from the skill description and unknowingly expose sensitive files or enable paid operations.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs agents to parse local files or document URLs through `xparse-cli`, and the metadata explicitly references free and paid API usage, implying document contents may be transmitted to an external service. Without a clear warning or consent requirement, an agent could exfiltrate sensitive document contents off-host contrary to user expectations, especially for local files that users may assume are processed locally.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs users to place API secrets in environment variables or config files but provides no handling guidance for protecting those secrets. This increases the chance of accidental exposure through shell history, logs, shared environments, misconfigured permissions, or checked-in config files.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The examples encourage writing parsed output to files and directories without noting that extracted content may include sensitive text from source documents. In document-processing workflows, this can lead to unintentional persistence of confidential data in shared workspaces, temporary folders, or downstream artifacts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs the agent to ask the user for a document password and rerun the command with it, but provides no safeguards for handling that secret. In an agent setting, this can lead to users disclosing passwords in chat, passwords appearing in command lines, logs, shell history, or downstream telemetry, increasing the risk of credential exposure beyond the immediate parsing task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to store long-lived API credentials in environment variables or a local config file under the home directory, but it does not warn about file permissions, secret leakage through shell history, shared machines, CI logs, or source-control exposure. In a skill designed for document parsing and automation, these omissions increase the chance that operators will handle secrets insecurely and unintentionally expose paid API access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.