Korean Document Reviewer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: review Korean business documents and save structured results, but users should treat the saved outputs as sensitive business data.

Install only if you are comfortable having reviewed document data written into the agent workspace. Use it in a private workspace, avoid uploading documents you do not have permission to process, and delete or redact generated JSON reports when they contain account numbers, registration numbers, addresses, or transaction amounts that no longer need to be retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs saving structured review results to workspace files, and those results include extracted fields from Korean business documents such as business registration numbers, bank account numbers, representative names, addresses, and transaction amounts. Persisting this sensitive data without an explicit user warning, consent step, retention rule, or minimization guidance increases the risk of unintended disclosure, over-retention, and secondary access by other tools, agents, or users sharing the workspace.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal