Back to skill

Security audit

Markdown to Word (.docx) Converter

Security checks across malware telemetry and agentic risk

Overview

This Markdown-to-Word converter is mostly purpose-aligned, but it can install tools and render document-supplied Mermaid diagrams through a local browser with sandbox protections disabled.

Review this before installing if you convert untrusted Markdown or work in sensitive directories. Only allow dependency installation when you intend it, prefer explicit input/output paths, avoid untrusted Mermaid blocks unless you can run the conversion in a sandbox, and expect Chinese publishing defaults when no template is supplied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to install packages, invoke a local Python script, inspect common directories for templates, and use shell-based tooling like npm, mmdc, textutil, or libreoffice, which clearly implies shell, file read/write, and environment access despite no declared permissions. This creates a permission-transparency gap: users and policy layers may treat the skill as low-risk while it can execute local commands and modify files, increasing the chance of unintended command execution or filesystem access.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill renders Mermaid by invoking mermaid-cli and, indirectly, a headless browser with relaxed sandbox flags like --no-sandbox and --disable-setuid-sandbox. In a document-conversion skill, this substantially expands the attack surface: untrusted Markdown can trigger complex parsing and browser-based rendering, increasing risk of renderer exploitation, local file exposure through renderer features, or denial of service.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger guidance is broad enough that an agent may invoke this skill for ordinary mentions of Word or Markdown conversion without clear user intent or confirmation. In an agentic environment, overly broad activation can cause unintended file processing, installation of external dependencies, or execution of conversion workflows on sensitive local content.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Repeating vague natural-language invocation examples without hard boundaries increases the chance that a hosting agent will treat loosely related requests as authorization to run the skill. In context, this skill can touch local files and external tooling, so accidental activation is more dangerous than a purely informational skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger language is broad enough to activate on essentially any Markdown-to-Word request, which can cause the agent to invoke a high-capability skill in situations where a simpler or safer response would suffice. In context, this matters because the skill may read local files, search common directories, install dependencies, and run shell commands, so over-triggering expands exposure to those actions unnecessarily.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
Applying Chinese typesetting conventions by default without explicit user opt-in can silently alter document formatting and produce outputs inconsistent with the user's expectations or organizational standards. While not a classic security flaw, it is a safety and integrity issue because default formatting choices may modify content presentation in a way the user did not request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The eval prompts are broad, natural-language invocations that do not define strong trigger boundaries or exclusion conditions, which can cause the skill to activate in unintended contexts. In an agent setting, over-broad activation increases the chance of the skill being selected for loosely related requests and performing file conversion or template handling when the user did not clearly intend that behavior.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The eval expects default Chinese typesetting to be applied even for an English technical document without user opt-in, which creates a mismatch between user intent and output behavior. While this is not a classic code-execution issue, it is a policy and safety problem because the skill may silently impose formatting choices the user did not request, leading to incorrect or misleading document generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.