Back to skill

Security audit

Convert Plaintext to MD

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward markdown conversion helper, with disclosed file-editing behavior and no evidence of hidden or malicious activity.

Install if you want an agent to convert and polish documentation files. Use it on files you intend to edit, review diffs before accepting changes, specify a stop point for pattern-based conversions, and only allow reference URL fetching when you trust the referenced documentation sites.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill explicitly states that natural-language variations such as 'polish the converted markdown file' should trigger the 'finalize' behavior. This is dangerous because broad, ambiguous trigger matching can cause the agent to perform additional transformations beyond the user's intended scope, potentially altering content, escaping text, reformatting code blocks, or making silent changes when the user only requested a review or minor edit.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.