Word Converter

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Word document conversion skill, but users should know it uses the MinerU API and may send document contents to an external service.

Install this only if you are comfortable processing documents through MinerU/mineru-open-api. Avoid confidential, regulated, client, legal, or personal documents unless third-party processing is approved, and review the npm package source and MinerU data-handling terms before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are overly broad and include common user wording such as generic requests about converting Word files, which can cause the skill to activate in situations the user did not explicitly intend. Because this skill sends documents to an external conversion service, accidental invocation can expose sensitive document contents or metadata to a third party without clear user awareness.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The description advertises document conversion but does not warn that files are processed through MinerU API, an external service. Users may provide confidential, proprietary, or regulated documents under the assumption of local processing, creating a significant risk of unintended data disclosure and compliance violations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal