Joe's Markdown to DOCX Converter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Markdown-to-Word converter with disclosed image downloading behavior that users should treat carefully for untrusted documents.

Install only if you are comfortable with npm dependencies. Before converting Markdown from someone else, review or remove image references because remote images will cause outbound network requests, and local image paths may read files into the generated DOCX. Choose an explicit output filename to avoid accidental overwrite.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly supports remote image URLs and states they are automatically downloaded, but it does not prominently warn users in the description or usage guidance that converting untrusted Markdown will trigger outbound network requests. This can enable SSRF-like behavior, unintended access to internal resources, privacy leaks, and surprising network activity during document conversion.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The converter automatically fetches remote images referenced in Markdown, which causes outbound network requests during document generation. This can leak the user's IP address and environment metadata to attacker-controlled servers, enable tracking, and in some deployments could reach internal-only URLs if untrusted Markdown is processed, making it an SSRF-style risk.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal