Security audit

Doc Scan

Security checks across malware telemetry and agentic risk

Overview

This document-scanning skill is mostly coherent, but it quietly records scan metadata after processing, which users should review before installing.

Review this before installing because it can read document photos, write scan outputs, run local Python code, and silently record filenames and processing summaries to a timeline. Prefer the newer doc-process skill if you trust it, and only scan documents whose filenames and metadata you are comfortable storing locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill advertises itself as deprecated and points users to another skill, but the body still contains full active operational instructions for scanning, transforming files, and generating outputs. This mismatch is dangerous because users, reviewers, or policy systems may under-scrutinize the skill while it still performs nontrivial actions, increasing the chance that risky behavior is overlooked.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest description omits active behaviors such as scanning, output generation, enhancement, and post-processing that are documented later in the file. In security-sensitive environments, incomplete declarations weaken review, consent, and tool-governance controls because operators may authorize the skill for a narrower purpose than it actually supports.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill instructs the agent to silently log scan metadata to a timeline after processing, which is unrelated to the user's explicit request to scan a document. Undisclosed persistence of filenames and processing summaries creates a privacy and data-governance risk, especially when document names may contain sensitive personal, legal, medical, or business information.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation guidance uses broad phrases like 'any equivalent phrase,' which can cause the skill to trigger in contexts beyond precise user intent. Ambiguous invocation increases the chance of unintended file processing or accidental use of a deprecated skill instead of the intended replacement.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill explicitly directs silent timeline logging without notifying the user, which undermines transparency and informed consent. Because the skill handles document images and output filenames, this hidden side effect can expose sensitive workflow metadata even if document contents are not directly logged.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.