Security audit

File2md

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward document-to-Markdown helper, with a privacy caution for optional Azure cloud processing.

Safe to install for ordinary local document conversion. Before using -d, --use-cu, Azure endpoints, or AZURE_API_KEY, confirm the files are permitted to be processed by Azure and avoid cloud modes for sensitive documents unless you have explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents Azure Document Intelligence and Azure Content Understanding as optional processing modes, but it does not clearly warn that enabling these features may send document contents and metadata to external cloud services. In an agent context, this can cause unintended exfiltration of sensitive local files if the operator or downstream automation assumes all conversion is local-only.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal