Back to skill

Security audit

Office → Markdown Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed office-document-to-Markdown converter, with notable but expected risks from runtime package downloads and optional external OCR.

Install only if you are comfortable with the skill downloading pinned Python packages at runtime. Use text-only conversion for confidential documents, and approve vision/OCR only when you are comfortable sending scanned pages or embedded images to Anthropic for processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ── isolated dependency install ───────────────────────────────────────────────
_DEP_DIR = Path("/tmp/office_md_deps")
_DEP_DIR.mkdir(exist_ok=True)
subprocess.run(
    [
        sys.executable, "-m", "pip", "install", "--quiet",
        "--target", str(_DEP_DIR),
Confidence
89% confidence
Finding
subprocess.run( [ sys.executable, "-m", "pip", "install", "--quiet", "--target", str(_DEP_DIR), "pandas==2.2.3", "tabulate==0.9.0", ], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ── isolated dependency install ───────────────────────────────────────────────
_DEP_DIR = Path("/tmp/office_md_deps")
_DEP_DIR.mkdir(exist_ok=True)
subprocess.run(
    [
        sys.executable, "-m", "pip", "install", "--quiet",
        "--target", str(_DEP_DIR),
Confidence
93% confidence
Finding
subprocess.run( [ sys.executable, "-m", "pip", "install", "--quiet", "--target", str(_DEP_DIR), "python-docx==1.1.2", ], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# environment is NOT modified.
_DEP_DIR = Path("/tmp/office_md_deps")
_DEP_DIR.mkdir(exist_ok=True)
subprocess.run(
    [
        sys.executable, "-m", "pip", "install", "--quiet",
        "--target", str(_DEP_DIR),
Confidence
90% confidence
Finding
subprocess.run( [ sys.executable, "-m", "pip", "install", "--quiet", "--target", str(_DEP_DIR), "pdfplumber==0.11.4", "pymupdf==1.24.14", ], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ── isolated dependency install ───────────────────────────────────────────────
_DEP_DIR = Path("/tmp/office_md_deps")
_DEP_DIR.mkdir(exist_ok=True)
subprocess.run(
    [
        sys.executable, "-m", "pip", "install", "--quiet",
        "--target", str(_DEP_DIR),
Confidence
96% confidence
Finding
subprocess.run( [ sys.executable, "-m", "pip", "install", "--quiet", "--target", str(_DEP_DIR), "python-pptx==1.0.2", ], check=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# ── isolated dependency install ───────────────────────────────────────────────
_DEP_DIR = Path("/tmp/office_md_deps")
_DEP_DIR.mkdir(exist_ok=True)
subprocess.run(
    [
        sys.executable, "-m", "pip", "install", "--quiet",
        "--target", str(_DEP_DIR),
Confidence
96% confidence
Finding
subprocess.run( [ sys.executable, "-m", "pip", "install", "--quiet", "--target", str(_DEP_DIR), "openpyxl==3.1.5", "pandas==2.2.3", "tabulate==0.9.0", ]

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to execute local Python scripts, write output files, and potentially send document content to an external vision API, which implies shell, file-write, and network capabilities. Because these capabilities are not explicitly declared in permissions, there is a real least-privilege and transparency issue: the platform or reviewer may underestimate what the skill can do, and users may not have clear permission gating for external data transmission.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Installing packages via pip inside a document-conversion skill is risky because the conversion path now performs code-fetching and package installation rather than just parsing local files. In this context, the skill handles user-supplied documents, so adding runtime package installation expands the attack surface and creates avoidable exposure to supply-chain compromise or unexpected installer behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A DOCX-to-Markdown converter should not need to fetch and install packages during normal execution. This creates unnecessary network access and executable side effects unrelated to the core conversion task, increasing supply-chain and environment-manipulation risk in a context where users expect local file processing.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
When --allow-vision is used, embedded document images are base64-encoded and sent to an external Anthropic API, which can exfiltrate sensitive content from the uploaded DOCX. Although the code attempts to require explicit opt-in, the capability is still a real data-transfer risk because office documents frequently contain confidential screenshots, scans, signatures, or regulated data.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The header text emphasizes that vision is optional, but the script performs other side effects unconditionally at import/startup by installing dependencies via pip. This mismatch can mislead reviewers or operators into believing the tool is side-effect-free unless --allow-vision is passed, reducing transparency around actual behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Runtime dependency installation is not necessary for normal PDF-to-Markdown conversion and expands the skill's privileges beyond its stated purpose. In this context, the capability is more dangerous because the skill processes user-supplied files but also reaches out to package infrastructure and installs executable Python code into /tmp, increasing attack surface and reducing reproducibility.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file performs external network activity both to install dependencies and, when enabled, to send slide images to Anthropic's API. In a document-conversion skill, undeclared outbound network transmission is especially sensitive because uploaded documents may contain confidential business data, and users may reasonably expect local-only processing unless explicitly told otherwise.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The file performs external network activity both to install dependencies and, when enabled, to send slide images to Anthropic's API. In a document-conversion skill, undeclared outbound network transmission is especially sensitive because uploaded documents may contain confidential business data, and users may reasonably expect local-only processing unless explicitly told otherwise.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A document conversion utility should not need to reach the network and modify its execution environment on each run. Runtime package installation expands the attack surface from local file parsing to external package retrieval and execution, creating opportunities for dependency confusion, mirror compromise, or abuse of pip configuration in environments processing untrusted uploads.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --allow-vision is used, slide images are transmitted to an external API without an explicit runtime disclosure at the point of transmission. Because PPTX slides often contain sensitive internal content, this creates a meaningful confidentiality risk, and the skill context makes it more dangerous because users may view document conversion as a local processing task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.