Back to skill

Security audit

PDF转Word

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local PDF-to-Word workflow, but users should be careful because it relies on an unauthenticated local document-conversion service that stores uploaded files and history.

Install only if you trust the local doc-converter service it calls. Keep it bound to localhost, avoid highly sensitive PDFs unless you understand where files and history are stored, and use explicit PDF-to-Word requests rather than broad document-conversion prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is marketed and triggered as a narrowly scoped PDF-to-Word tool, but the documentation exposes a broader general-purpose document conversion platform with multiple conversion modes. This scope mismatch can cause an agent to invoke capabilities the user did not intend, weakening least-privilege boundaries and increasing the chance of misuse or unsafe file-processing flows.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The task-creation API accepts a generic conversionType rather than enforcing pdf_to_word, which effectively exposes arbitrary backend conversion workflows through a supposedly single-purpose skill. In an agent setting, this can bypass intended capability restrictions and enable invocation of riskier converters such as LibreOffice, ImageMagick, or Ghostscript paths not implied by the skill's public contract.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented API exposes many conversion modes beyond the skill's declared PDF-to-Word purpose, which creates a scope mismatch and expands what an agent could invoke. In a skill context, this increases the risk of unintended or unauthorized file transformations because the available backend capabilities are broader than the user-facing contract.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The API explicitly states there is no authentication and allows direct file upload and other general operations, which means any local caller could interact with the service without identity or permission checks. In a file-processing workflow, unauthenticated access can expose sensitive documents, enable unauthorized uploads or deletions, and turn the service into a broadly accessible conversion endpoint.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrase includes the broad term '文档转换', which can match many general document-conversion requests outside the stated PDF-to-Word purpose. Overbroad invocation increases the risk that the agent routes unrelated or more sensitive file-processing tasks into this skill, especially given the broader backend capabilities documented elsewhere.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation says authentication is not required and lists file operations without warning users about privacy or integrity consequences. While this is partly a documentation-quality issue, it reflects and normalizes an unsafe design for handling potentially sensitive uploaded documents.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The delete endpoint is documented without any warning about irreversible data loss or ownership checks. In isolation this is a weaker issue, but in combination with the unauthenticated design it becomes more dangerous because anyone who knows or can guess a file ID may delete documents without user awareness.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.