Doc To HTML

Security checks across malware telemetry and agentic risk

Overview

This skill coherently documents a Word-to-HTML converter using MinerU, with no hidden execution or destructive behavior found.

Install only if you are comfortable using the external MinerU CLI/API. Protect MINERU_TOKEN, verify the mineru-open-api package source, and avoid submitting confidential or regulated documents unless MinerU/OpenDataLab data handling is acceptable for your use case.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documentation broadens accepted input from local Word files to arbitrary URLs, which can cause the service to fetch remote content on the user's behalf. That creates SSRF-style and unintended data-access risk, especially if users or downstream tooling assume the skill only handles local document conversion.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill requires an API token and uses an external conversion service, but the description does not clearly warn that document contents may be sent off-host for processing. Users may unknowingly upload sensitive Word documents to a third party, creating confidentiality, compliance, and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal