Back to skill

Security audit

Docx Fill

Security checks across malware telemetry and agentic risk

Overview

This Word-template filling skill is mostly coherent, but it needs review because it can silently erase undeclared table cells in the generated document.

Install only if you are comfortable with a local workflow that reads your template and reference files and writes a new Word document. Use an explicit output path, avoid pointing output at the original template, and review or diff the generated document because undeclared table cells may be cleared from the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly performs file reads and writes by accepting a template path, reading reference materials, and writing a generated .docx, yet no explicit permissions are declared. This creates a security transparency and policy-enforcement gap: a host may invoke the skill without clearly surfacing filesystem access expectations to users or applying least-privilege controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The renderer proactively clears any non-empty table cell not explicitly listed as a placeholder or static text. In a document-generation skill, that behavior can silently delete legitimate template content, disclaimers, instructions, hidden business logic, or user-supplied material beyond the expected 'fill' operation. Because the clearing is automatic and driven by contract metadata, a malformed or adversarial contract can cause unauthorized data removal in the output document.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is overly broad, stating the skill should be used for nearly any request involving writing content into a structured Word document, even when the user does not explicitly ask to fill a template. Overbroad invocation can cause unintended skill activation on unrelated document tasks, leading to unnecessary file access, unexpected disk writes, or routing sensitive user content into a more privileged workflow than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill specifies that it may write an output document by default next to the template, but does not prominently warn the user about this side effect. Silent or poorly disclosed file creation can surprise users, overwrite expectations about data locality, and leave sensitive derived documents in shared or monitored directories.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The schema explicitly uses a Chinese-only gender enumeration example (`enum:男,女`) as a normative value-type pattern. In a document-filling skill, that can propagate into validation or generation logic and cause exclusion, misclassification, or forced rewriting of user data for templates that require different gender vocabularies, non-binary options, or other locales. The risk is integrity and fairness harm rather than code execution, but the contract is core to downstream agents, so the policy can systematically affect outputs.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The header-to-type mapping states that `性别` maps to `enum:男,女` as a default policy, which turns a culturally specific binary assumption into an enforced semantic validation rule. Because this file defines a core contract consumed by multiple agents, the mapping can cause incorrect fills, validation failures, or coercion of legitimate values across many generated documents, especially in multilingual or inclusive contexts. The docx-fill context makes this more dangerous because structured templates often feed official forms and reports where data fidelity matters.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code performs destructive document modification and writes a new output file without any built-in disclosure, confirmation, or audit gating around the cell-clearing behavior. In this skill context, users expect template filling, not silent sanitization or deletion of undeclared content, so the absence of warning increases the risk of unnoticed data loss and misleading outputs. This becomes more dangerous because the skill is specialized for structured, table-heavy business or education documents where omitted cells may carry important meaning.

Ssd 1

Medium
Confidence
95% confidence
Finding
The instruction to 'ignore previous role/thought process' is a role-reset pattern that can semantically override higher-level agent context and weaken orchestration safeguards. In a multi-stage agent pipeline, such instructions can cause the model to discard relevant system, developer, or prior validation context, increasing the risk of prompt-injection-induced misalignment or incomplete security checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.