Security audit

Docx Tools

Security checks across malware telemetry and agentic risk

Overview

This is a local Word and Markdown document utility whose file reading and writing are expected for its purpose, with no evidence of hidden network, credential, persistence, or destructive behavior.

Reasonable to install for local DOCX and Markdown handling. Use a virtual environment for dependencies, review input and output paths before running conversions or write operations, and avoid pointing it at sensitive folders unless you intend those documents to be read or overwritten.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill clearly describes file read and file write operations, but no explicit permissions are declared. This creates a trust and policy gap: an execution environment or reviewer may underestimate the skill's ability to access and modify local files, increasing the chance of unintended data exposure or overwriting user documents. In a document-processing skill, filesystem access is expected, but it still must be declared because the risk depends on what paths the agent is allowed to touch.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal