My Docx Formatter

Security checks across malware telemetry and agentic risk

Overview

This is a local Word document formatter whose broad activation wording and install script deserve awareness, but the artifacts do not show hidden data access or malicious behavior.

Install this only if you want Chinese official-document-style Word formatting. Review the install script before first use, expect it to install python-docx into a local virtual environment, and use explicit input and output paths so broad auto-trigger wording does not format documents unintentionally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The auto-trigger scope is overly broad and includes very common writing terms such as '报告', '总结', '方案', '修改', and '生成文档'. This can cause the skill to activate on ordinary writing requests without clear user intent, increasing the chance of unintended document generation, formatting changes, or downstream execution of associated tooling.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to run an installation script and indicates it may automatically install dependencies, while also producing output files, but does not clearly warn about code execution, package installation, or filesystem writes. In an agent setting, this creates a meaningful risk of unexpected command execution and persistent system modification without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal