PDF助手

Security checks across malware telemetry and agentic risk

Overview

This PDF helper is a simple instruction-only skill that does what it says, but users should understand that selected files are sent to TinyWow and may remain there for up to 24 hours.

Install only if you are comfortable sending selected PDFs, Office files, images, text, or HTML files to TinyWow for processing. Avoid confidential, regulated, legal, financial, or highly sensitive documents unless you have verified TinyWow's current privacy and deletion terms, and confirm the 0.001 USDT SkillPay charge before each use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill states that files are 'automatically cleaned to protect privacy' after processing, but elsewhere documents that uploaded files are deleted only after 24 hours. That mismatch can mislead users about how long sensitive files remain available on a third-party service, creating privacy and compliance risk for confidential documents.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill says files are submitted to an external platform, TinyWow, but does not prominently warn users before use that their files will leave the host environment and be subject to third-party handling and retention. This is dangerous because users may upload sensitive personal, legal, financial, or business documents without informed consent about external processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal