Back to skill

Security audit

format-flow

Security checks across malware telemetry and agentic risk

Overview

This is a coherent document conversion skill, but running it can automatically install unpinned Python packages and fetch URLs for web conversion, so it deserves review before installation.

Review before installing in shared, production, or locked-down environments. Prefer running it in a virtual environment with dependencies preinstalled and pinned, use batch or recursive modes only on deliberately selected folders, and do not provide sensitive documents or internal URLs unless you intend this skill to process them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for package in missing:
            try:
                print(f"[INFO] 正在安装 {package}...")
                subprocess.check_call(
                    [sys.executable, "-m", "pip", "install", package],
                    stdout=subprocess.DEVNULL,
                    stderr=subprocess.DEVNULL
Confidence
93% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", package], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNU

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README says the skill can be triggered by very generic natural-language requests such as converting files or extracting PDF text. In an agent environment, broad trigger phrasing can cause unintended invocation on user content or unrelated workflows, which may lead to unexpected processing of local documents and file conversions without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The top-level description includes many broad activation keywords such as generic conversion and formatting phrases, which can cause the skill to match ordinary user requests that do not explicitly ask for this tool. Over-broad routing increases the chance of unintended execution, especially because the skill can process files and potentially fetch web content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The web-processing triggers include ambiguous phrases like '抓取网页', '保存网页', 'web to Markdown', and 'HTML to Markdown', which can match common browsing, summarization, or saving requests. Because this capability may initiate network access, accidental activation can cause unanticipated outbound requests or retrieval of untrusted content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The text-formatting triggers use very broad language like 'format text', 'beautify text', and 'organize notes', which overlaps with many normal assistant editing tasks. This makes the skill prone to unintended invocation for generic writing help, causing unnecessary file/tool actions and possible confusion about what data is being processed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises web-page-to-Markdown conversion but does not warn users that converting from a URL may perform network access. This is risky because users may not realize the tool will contact external sites, potentially exposing usage patterns, triggering requests to sensitive endpoints, or processing untrusted remote content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically installing missing packages via pip without explicit confirmation can unexpectedly change the runtime environment and pull code from external package sources. In an agent skill context, this is more dangerous because skills may run unattended in sensitive environments where implicit network access and dependency installation are not acceptable.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.