Back to skill

Security audit

mineru document extractor

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate MinerU document extraction skill, but users should know that documents and URLs are sent to MinerU's online service for processing.

Install only if you are comfortable sending the documents, scans, spreadsheets, images, or web pages you choose to MinerU for server-side extraction. Avoid confidential or regulated material unless MinerU's terms and your organization's rules allow it, and protect or rotate any MinerU token you configure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs use of remote extraction and web crawling commands that transmit document or page content to MinerU's external API, but the warning is only in metadata and not prominently repeated near the operational commands. Users may run sensitive PDFs, scans, or URLs through a third-party service without noticing the data-transfer risk, increasing the chance of unintended disclosure of confidential content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.