Kai Docx Generator

Security checks across malware telemetry and agentic risk

Overview

This skill coherently generates and fills Word documents, with normal local file parsing risks but no evidence of hidden, destructive, or exfiltrating behavior.

Install only if you need Word/DOCX generation or template filling. Use current patched dependencies or a lockfile, avoid processing DOCX/templates/images from unknown sources, and be explicit that the task is DOCX/Word-related so the broad triggers do not route unrelated document work into this skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The grading script is not purely passive: it actively executes a local project script against a hard-coded repository path. In a skill/eval context, that means running untrusted or not-yet-vetted code during evaluation, which expands the trust boundary and can lead to arbitrary local code execution if the target repository contents are malicious or compromised.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The trigger phrases include very generic terms such as '生成文档' and 'generate docx', which can cause the skill to activate for broad, common requests beyond the user's specific intent. Overbroad routing can expose the skill's file and shell capabilities in contexts where a simpler or safer tool should have been used, raising the chance of unintended file operations.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes very generic phrases such as '生成文档' and broad English equivalents like 'fill template' and 'generate docx', which can cause the skill to be invoked in contexts the user did not intend. In an agent setting, overly broad activation can route unrelated content into file-generation workflows, causing unintended file access, document creation, or disruption of the expected task flow.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The instruction to always announce a recommendation in Chinese overrides normal language alignment with the user's preferences and can produce unsolicited output in the wrong language. While not a direct code-execution issue, this is a policy and UX safety problem because it can bypass agent-level language controls and create confusing or misleading interactions in multilingual environments.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very broad phrases such as '生成文档' and 'fill template', which can match many ordinary user requests outside the intended .docx scope. Over-broad routing can cause the wrong skill to activate, leading to unintended file generation or handling of user content when a more appropriate skill should have been used.

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=1.1.0 markdown-it-py>=3.0.0 lxml>=4.9.0 Pillow>=10.0.0
Confidence: 98% confidence
Finding: python-docx>=1.1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=1.1.0 markdown-it-py>=3.0.0 lxml>=4.9.0 Pillow>=10.0.0 pyyaml>=6.0
Confidence: 98% confidence
Finding: markdown-it-py>=3.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=1.1.0 markdown-it-py>=3.0.0 lxml>=4.9.0 Pillow>=10.0.0 pyyaml>=6.0
Confidence: 99% confidence
Finding: lxml>=4.9.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=1.1.0 markdown-it-py>=3.0.0 lxml>=4.9.0 Pillow>=10.0.0 pyyaml>=6.0
Confidence: 99% confidence
Finding: Pillow>=10.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: markdown-it-py>=3.0.0 lxml>=4.9.0 Pillow>=10.0.0 pyyaml>=6.0
Confidence: 99% confidence
Finding: pyyaml>=6.0

Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)

High

Category: Supply Chain
Confidence: 95% confidence
Finding: python-docx

Known Vulnerable Dependency: markdown-it-py — 4 advisory(ies): CVE-2023-26302 (markdown-it-py Denial of Service vulnerability in the command line interface); CVE-2023-26303 (markdown-it-py Denial of Service vulnerability); CVE-2023-26302 (Denial of service could be caused to the command line interface of markdown-it-p) +1 more

High

Category: Supply Chain
Confidence: 88% confidence
Finding: markdown-it-py

Known Vulnerable Dependency: lxml — 10 advisory(ies): CVE-2021-43818 (lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through); CVE-2014-3146 (lxml Cross-site Scripting Via Control Characters); CVE-2021-28957 (lxml vulnerable to Cross-Site Scripting ) +7 more

High

Category: Supply Chain
Confidence: 87% confidence
Finding: lxml

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 95% confidence
Finding: Pillow

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical

Category: Supply Chain
Confidence: 94% confidence
Finding: pyyaml

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal