Security audit

gongwenformat

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local Chinese official-document formatter, but one bundled converter can silently replace the title and drop later document content.

Install only if you need Chinese 公文 formatting and are willing to review outputs carefully. Use the scripts on copies, provide an explicit title, choose a fresh output filename, and compare the result against the original before relying on it, especially around any section named “关键表格”. No evidence of malware, persistence, credential theft, or network exfiltration was found.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The skill’s stated purpose is narrowly scoped to GB/T 9704-2012 公文 formatting, but the described implementation behavior includes unrelated hardcoded report conversion, generic checklist output, and brittle content-specific truncation logic. In an agent setting, this can cause silent misprocessing of user documents, loss of content, or fabrication of structure while presenting the result as standards-compliant, which is a security-relevant integrity issue.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script is advertised as a general gongwen formatter, but it injects a hard-coded title and removes content based on report-specific markers such as a fixed original title and '关键表格'. This creates silent content tampering: users may trust the output as a faithful reformatting when in fact the tool rewrites and truncates documents in a way that can misrepresent official content.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The implementation does more than format a document: it omits portions of the source based on hard-coded markers, which conflicts with the tool's stated behavior. In a document-processing skill for official Chinese documents, silent deletion is risky because it can alter meaning, omit evidence, or produce non-authoritative outputs that appear legitimate.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The default prompt hard-codes use of the gongwen formatting skill and assumes Chinese official-document formatting requirements without any explicit user opt-in or applicability check. This can cause unintended transformation of user content, especially when the user did not request Chinese government-style formatting or when the document contains sensitive text that should not be rewritten under a prescriptive policy.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.