PDF Markdown Converter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward PDF-to-Markdown skill, but users should remember it relies on a third-party MinerU API/CLI for document processing.

Install only if you are comfortable using the mineru-open-api npm package and sending PDFs to the MinerU service. Avoid confidential, regulated, or proprietary documents unless you have confirmed the service's privacy, retention, and credential requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes broad phrases such as 'can you convert this PDF to text format' and 'make this PDF editable', which can match user intents beyond straightforward PDF-to-Markdown conversion. This increases the chance the skill is invoked inappropriately, potentially causing unintended document upload to the external MinerU service and confusing users about what transformation will occur.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill routes user PDFs through the mineru-open-api service, but the description does not warn that document contents may be transmitted to an external API. Users may provide sensitive research papers, internal manuals, contracts, or regulated documents without informed consent, creating confidentiality, compliance, and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal