PDF to Markdown with OCR

Security checks across malware telemetry and agentic risk

Overview

This skill transparently uploads selected PDFs to the user's Modal account for OCR, but users should understand the remote storage and cleanup implications.

Install only if you are comfortable sending selected PDFs to Modal-managed remote infrastructure. Use a unique slug per job, avoid highly sensitive documents unless Modal storage is acceptable for your use case, and delete uploaded inputs and outputs from the Modal volume after processing if you do not want them retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill invokes shell commands (`modal volume create/put/get`, `modal run`) but does not declare shell capability/permissions. That weakens transparency and reviewability, making it easier for a skill to perform filesystem and network-affecting actions without users or policy layers understanding the true execution surface. In this context, the shell is used to upload local files to a remote service, which increases the risk beyond a purely local helper.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose says the skill handles local PDF/image OCR, but the workflow only processes PDFs and uses persistent Modal volumes named for an unrelated `speech2srt` service. That mismatch is security-relevant because it obscures where data is stored and suggests possible reuse of shared infrastructure outside the stated purpose, increasing the chance of unintended data mixing, retention, or disclosure. The undeclared use of another service namespace makes the behavior more dangerous in a document-processing skill handling potentially sensitive files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow explicitly uploads local documents to remote Modal volumes/GPU infrastructure, yet the skill description provides no privacy or data-handling warning. For OCR/parsing tasks, inputs often contain sensitive personal, legal, financial, or proprietary data, so failing to warn users about off-device transfer and persistence materially increases the risk of inadvertent data exposure. The use of persistent volumes makes this especially concerning because documents may remain stored after processing.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal