docx

Security checks across malware telemetry and agentic risk

Overview

This is a Word document helper skill with broad but disclosed enrichment capabilities and no executable code, persistence, credential use, or hidden behavior found.

Install this if you want help producing or editing Word/.docx documents. Because the skill discloses optional use of web search, scraping, social data, image generation, and document processing, review generated documents before publishing and avoid providing sensitive documents unless you trust the platform handling them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation guidance is broad enough to capture many ordinary writing or document-related requests, not just clear .docx-specific tasks. In an agent environment, this can cause inappropriate tool invocation, unnecessary access to document-processing or network-enabled capabilities, and expanded attack surface through misrouting of user requests.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The suggested prompt is incomplete and vague, which increases the chance that the orchestrator or downstream agent will invoke the skill on weak or ambiguous signals. Because this skill exposes document processing plus web/search-related APIs, imprecise prompting can lead to unnecessary capability use and make prompt-routing abuse easier.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal