Doc Extract

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Word-to-Markdown extraction skill, with the main caution that selected documents or URLs may be handled by the third-party MinerU service.

Install only if you are comfortable using MinerU/OpenDataLab for document extraction. Treat MINERU_TOKEN as a credential, verify the mineru-open-api package source before installing, and avoid processing confidential documents or private URLs unless third-party handling is acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly supports local files and URLs and is built around a third-party extraction service, but the description does not clearly warn users that document contents may be transmitted off-host when a URL is used or when the CLI calls the MinerU service. This can lead to unintended disclosure of sensitive document data, especially in agent workflows where users may assume extraction is purely local.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal