Back to skill

Security audit

Local Document Ingest

Security checks across malware telemetry and agentic risk

Overview

This skill performs the disclosed job of turning uploaded local files into Research KB pages and archives them to the configured Gitea repository.

Install only for workflows where uploaded local-folder contents are intended to become part of the team KB. The skill can persist original files and derived summaries to the configured Gitea repository, so do not run it on folders containing secrets, private personal files, or material that should not be archived. Keep the PDF parsing dependency updated and run it with a least-privilege Gitea bot token limited to the intended KB repo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This code reads repository content via GiteaClient (catalog.json and index.md) in addition to processing local files, expanding data access beyond the stated local-folder scope. That broadens the trust boundary and can expose unrelated repository content to downstream consumers without clear necessity, increasing the risk of unintended data disclosure and overcollection.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The related_page_cards function reads arbitrary repository page text for ranked matches and includes content previews in the returned context. This materially exceeds simple local file reading and can leak unrelated internal knowledge-base content into the processing pipeline based only on token overlap, which is a weak authorization basis.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest explicitly states that the skill will archive local source files and write pages, catalog, and index content to a remote Gitea repository, but it does not surface a clear warning that user-provided local data will be persisted and published beyond the local processing step. This creates a real risk of unintended data modification or disclosure, especially because the input is a desktop-uploaded local folder that may contain sensitive material not meant for archival or repository publication.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function reads arbitrary local files from item storage paths and uploads their raw bytes to the remote Gitea client under source_files/local_folder/... with no consent check, policy gate, or visibility in this code path. In a skill that handles local documents, this materially increases data exfiltration risk because sensitive files can be persisted remotely even when page generation is the apparent primary task.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The extractor reads local file contents from provided storage paths and returns text previews and structural summaries without any visible consent, notice, or policy enforcement in this component. In a skill handling local uploads, silent ingestion of file contents can expose sensitive user data to downstream models or services beyond what the user expects.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Repository files are fetched and incorporated into the returned context without any user-visible indication in this code path. Because these reads are outside the immediate local upload set, they can surprise users and expose repository knowledge-base material to downstream processing without adequate transparency.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code loads repository page bodies and returns contentPreview values for matched pages without any visible disclosure or access-control check in this function. That can leak snippets of unrelated internal documents into context sent to later stages, especially when token matching accidentally selects sensitive pages.

Known Vulnerable Dependency: pypdf==4.3 — 10 advisory(ies): CVE-2026-48156 (pypdf: Possible long runtimes for zero-only width values in cross-reference stre); CVE-2026-24688 (pypdf has possible Infinite Loop when processing outlines/bookmarks); CVE-2026-27628 (pypdf has a possible infinite loop when loading circular /Prev entries in cross-) +7 more

Low
Category
Supply Chain
Confidence
95% confidence
Finding
pypdf==4.3

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.