DOCX Formatter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local Word document formatter with ordinary setup and file-output risks, not evidence of hidden or harmful behavior.

Install this only if you want local Chinese official-document .docx generation. Review the unpinned python-docx dependency if reproducibility matters, invoke the skill explicitly for formal-document formatting, and choose output paths carefully to avoid overwriting existing files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill declares very broad auto-trigger conditions and generic keywords like '报告', '总结', '方案', '修改', and '生成文档', which can overlap with many ordinary writing tasks. This can cause the agent to invoke the skill unexpectedly, leading to unintended formatting behavior or execution of associated tooling in contexts the user did not explicitly request.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to run an installation script and also states that the script may automatically detect and install dependencies, which implies local environment modification without clear disclosure of what will be installed or changed. In an agent setting, this increases risk because broad triggering could chain into shell execution or package installation the user did not meaningfully authorize.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal