Back to skill

Security audit

Pdf2word Skills

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate PDF-to-Word/OCR helper, but it combines an unverified downloaded executable with under-disclosed cloud OCR and sensitive plaintext handling.

Review before installing. Use the local OCR path for confidential PDFs, avoid remote Gemini OCR unless you accept sending document contents to that provider, restrict any API-key config file permissions, and prefer installing only after the binary source is pinned or verified by checksum/signature.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer downloads a platform-specific executable from the internet and places it into the skill directory, but it does not verify a checksum, signature, or pinned artifact digest before marking it executable. If the release asset, GitHub account, transport path, or version target is tampered with, users could install and run an untrusted binary, leading to arbitrary code execution on the host.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly instructs users to send scanned PDF contents to a remote OCR provider (Gemini) but does not warn that document contents may leave the local machine and be transmitted to a third party. Because scanned PDFs often contain sensitive personal, legal, financial, or business data, this omission can lead users to unintentionally expose confidential information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to use the Gemini API for OCR but does not disclose that document contents may be transmitted to a third-party remote service. In a PDF-to-Word skill, users may process sensitive scanned documents, so the omission can lead to unintended data exfiltration and privacy/compliance violations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill recommends using the Gemini API for OCR but does not clearly warn that document contents may be transmitted to a third-party remote service. Because scanned PDFs often contain sensitive personal, financial, or proprietary data, users could unintentionally exfiltrate confidential information off-device.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script writes OCR output to a predictable plaintext file next to the destination document before deleting it, which can expose sensitive document contents to other local users, backup/indexing systems, or forensic recovery if deletion fails or the process crashes. Because this skill is explicitly designed to process scanned PDFs, it is likely to handle confidential documents, making intermediate plaintext storage more security-sensitive in context.

Session Persistence

Medium
Category
Rogue Agent
Content
To use Gemini, first configure your API key:
```bash
mkdir -p ~/.ocr
echo "gemini_api_key=your_gemini_key" > ~/.ocr/config
```
Confidence
86% confidence
Finding
mkdir -p ~/.ocr echo "gemini_api_key=your_gemini_key" > ~/.ocr

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.