Word2md

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Office-document converter that sends selected files to MinerU's cloud, so it is acceptable with privacy caution.

Install only if you trust MinerU and the mineru-open-api package, and only process documents you are allowed to upload to a third-party cloud service. Avoid confidential, regulated, or highly sensitive files unless you have reviewed MinerU's handling terms and have permission to send the content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger guidance is broad enough that the skill may activate for generic requests to "read," "extract," "convert," "summarize," or "analyze" a document, even when the user did not specifically intend to use a cloud-backed office-document conversion tool. Because this skill uploads files or URLs to a third-party service, unintended invocation can create privacy and data-handling risk beyond simple misrouting.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal