polaris-datainsight-doc-extract

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward document-extraction skill that uses Polaris DataInsight, with privacy caution because files are uploaded to Polaris for processing.

Install only if you are comfortable sending selected DOCX, PPTX, XLSX, HWP, or HWPX files to Polaris DataInsight. Avoid using it for confidential, regulated, customer, or proprietary documents unless your organization permits that service, and keep the Polaris API key in an environment variable rather than pasting it into chats or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill tells the agent to invoke this service whenever users mention common office-document extraction tasks, even without naming Polaris. That broad routing can cause sensitive documents to be sent to a third-party processor unexpectedly, creating privacy and data-governance risk through over-collection and unintended external disclosure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill explains extraction behavior but does not prominently warn that the full document is uploaded to an external API service for processing. Users may provide confidential, regulated, or proprietary files without informed consent, leading to unauthorized third-party data transfer and compliance exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal