Back to skill

Security audit

Markdown Ai Rewriter

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it needs review because automatic activation and package loading are broader than the documentation clearly scopes.

Review before installing. Use it only in trusted project directories, install the pinned npm package from a trusted source, configure only the provider API key you need, and avoid confidential Markdown unless you are comfortable sending it to that provider. Disable automatic invocation or require confirmation before rewrites or media generation where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The launcher documents and implies a pinned dependency version, but it never verifies that the resolved markdown-ai-rewriter package is actually version 1.2.5 before importing and executing its CLI code. Because the code searches multiple node_modules locations including the current working directory, an attacker or compromised environment could place a different package version or malicious replacement at that path and have it executed in-process, bypassing the stated trust boundary.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to configure third-party provider API keys and use external AI services to rewrite Markdown, but it does not clearly warn that document contents will be sent to external vendors. In a rewriting skill, users may process sensitive drafts, internal docs, or proprietary Markdown, so the lack of an explicit privacy/data-exposure warning can lead to unintended disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill is designed to send Markdown content, prompts, and possibly image/video/music generation inputs to multiple third-party AI providers, yet the description does not provide a prominent warning about that data transfer. Users may unknowingly submit sensitive documents, API prompts, or embedded content to external services, creating confidentiality and compliance risks.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill is configured with autoInvoke enabled but provides no trigger constraints, scoping, or user-confirmation guardrails in the manifest. Because this skill can rewrite Markdown and use networked AI providers with user-supplied content, unconstrained automatic invocation increases the chance of unintended data exposure, surprise content modification, or unexpected API usage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.