Slides To Markdown

Security checks across malware telemetry and agentic risk

Overview

This skill coherently converts user-selected Office documents to Markdown, but users should notice that it uploads those documents to MinerU's cloud service.

Install only if you are comfortable sending the specific documents you choose to MinerU's cloud service. Avoid confidential, regulated, or highly sensitive files unless that cloud processing is approved, and consider pinning or verifying the mineru-open-api CLI package in managed environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The skill's activation guidance uses very broad verbs such as "read," "extract," "convert," "summarize," and "analyze" for common office documents, which can cause the agent to invoke this skill in many situations without clear user consent to upload content to a third-party cloud service. This is more dangerous in context because the skill explicitly sends document contents to MinerU's remote API and supports direct URL fetching, so unintended activation could expose sensitive internal documents or trigger external network access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal