Back to skill

Security audit

Doc Extractor

Security checks across malware telemetry and agentic risk

Overview

This is a local document text extractor with some normal file-access cautions, and the scanner’s code-execution concerns are limited to a separate CI helper rather than normal skill use.

Use the included artifact or review the GitHub raw script before running it. Run batch mode only on a specific document folder, and avoid using the CI verification helper on code you do not trust unless it is sandboxed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def has_self_test(fp):
    r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)
    return r.returncode == 0 and "PASS" in r.stdout
Confidence
98% confidence
Finding
r = subprocess.run([sys.executable, fp, "self-test"], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
all_ok &= axis(False, "frontmatter (no SKILL.md)")
        all_ok &= axis(False, "docs (no SKILL.md)")
    # 3 compiles
    comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp],
                                capture_output=True).returncode == 0 for fp in files)
    all_ok &= axis(comp_ok, "compiles (py_compile all .py)")
    # 4 self-test (any of 3 valid forms)
Confidence
96% confidence
Finding
comp_ok = all(subprocess.run([sys.executable, "-m", "py_compile", fp], capture_output=True).returncode == 0 for fp in files)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
tests = [os.path.join(folder, f) for f in os.listdir(folder)
                 if (f.startswith("test_") or f.endswith("_test.py")) and f.endswith(".py")]
        if tests:
            st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True,
                                      timeout=30).returncode == 0 for t in tests)
            st_note = f"{len(tests)} test_*.py"
        elif re.search(r"(?im)^test\s*:", skill_txt):
Confidence
99% confidence
Finding
st_ok = all(subprocess.run([sys.executable, t], capture_output=True, text=True, timeout=30).returncode == 0 for t in tests)

Lp3

Medium
Category
MCP Least Privilege
Confidence
72% confidence
Finding
The skill advertises operational capabilities that imply file access and shell execution, but the manifest does not declare any permissions or trust boundaries. That creates a transparency and review gap: an agent or user may invoke the skill expecting simple document extraction while granting or inheriting broader local capabilities than are documented.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The declared purpose is narrow document extraction, but the analyzed behavior reportedly includes package validation, compilation checks, self-test execution, secret scanning, and broader file-format handling. This mismatch is dangerous because it can conceal higher-risk behaviors such as scanning unrelated files, executing local code/tests, or performing repository-wide inspection under the cover of a benign extraction tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.