MAXQDA Timecode Converter

Security checks across malware telemetry and agentic risk

Overview

This is a simple transcript timecode conversion skill that edits chosen text files locally, but users should keep backups because it overwrites files.

Install only if you are comfortable with a skill that removes the first line and overwrites transcript files. Before running it, keep a backup and test on one copied transcript before using the batch command on a full directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly overwrites the original file after removing the first line, but it does not warn users that this is destructive or recommend making a backup first. This creates a real integrity and availability risk because user data can be irreversibly altered or partially lost if the format is wrong, the script misparses content, or the operation is interrupted.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The batch example applies destructive replacement across every matching .txt file in a directory with no confirmation, dry-run mode, backup, or review step. In context, this amplifies the risk substantially because a formatting mismatch or user path mistake could corrupt many research transcripts at once, causing broad data loss and cleanup effort.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal