pandoc-docx

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Pandoc document conversion skill that can read and write user-selected documents, with no hidden network, credential, or persistence behavior found.

Install this only if you want an agent to run local document conversion tools on files you specify. Keep backups before edit or replace operations, review output paths carefully to avoid overwriting important documents, and install required tools from trusted package managers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger conditions are broad enough to activate on many ordinary document-related requests, including generic mentions of Word, pandoc, or any path containing .docx. In an agent environment, this can cause the skill to run unexpectedly on sensitive files or intercept user intent more often than necessary, increasing the chance of unintended file processing and data exposure.

VirusTotal

37/37 vendors flagged this skill as clean.

View on VirusTotal