Paper To Markdown

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PDF-to-Markdown helper, but PDFs are sent to MinerU’s external service for processing.

Install only if you are comfortable trusting the mineru-open-api CLI and sending selected PDFs or PDF links to MinerU for processing. Avoid private or regulated documents unless that external data flow is acceptable, and only run MinerU authentication if you intentionally need the larger-file extraction mode.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The 'When to Use' section uses broad triggers like 'read', 'extract', 'convert', 'parse', 'summarize', or 'analyze a PDF', which can match many ordinary user requests and cause the skill to activate more often than intended. Because this skill sends documents or URLs to a third-party API, over-triggering can lead to unintended external transmission of user-provided content or metadata, increasing privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal