Byted Data Deepresearch Structured2markdown

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet-to-Markdown skill has a real, disclosed cloud-processing purpose, but it handles sensitive files and cloud credentials in ways users should review carefully before installing.

Install only if you are comfortable sending the selected spreadsheets to Volcengine DataAgent for remote analysis/report generation. Do not paste long-lived cloud keys into chat; use least-privilege or temporary credentials through environment or a secret manager, clear them after use, and avoid setting PUBLIC_INSIGHT_API_URL unless you fully trust the destination. Treat the output as cloud-generated analysis, not a purely local file conversion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill uses environment credentials and network access to upload files to an external service, but does not declare corresponding permissions. That creates a transparency and governance gap: users and orchestrators may treat it as a local formatting utility when it actually exfiltrates data off-host. In a file-conversion context, undeclared outbound transmission is materially riskier because users may provide sensitive spreadsheets expecting only local processing.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose says the tool converts spreadsheets to Markdown, but the behavior described goes further: authenticated remote analysis, fixed research prompting, stream processing, and report generation. This mismatch can mislead users into sharing files under false assumptions, causing unintended disclosure and more expansive processing than consented to. The context makes this more dangerous because spreadsheet files often contain business, financial, or personal data.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to ask users for raw AccessKey and SecretKey directly in chat for a task that is presented as document conversion. Soliciting long-lived cloud credentials in-band is dangerous because it trains unsafe behavior, expands credential exposure to logs/transcripts, and is disproportionate to the stated function. In this context, requesting cloud API secrets for spreadsheet formatting is especially suspicious and unnecessary.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill metadata promises a narrow spreadsheet/CSV-to-Markdown conversion, but the implementation actually uploads files and invokes a generic remote deep-research task with the fixed prompt "请帮我分析并产出文档". This mismatch is dangerous because users may disclose sensitive data under the assumption of deterministic formatting, while the tool performs broader cloud-side analysis than advertised.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The Actions class exposes generic deep-research task execution/status/detail operations in addition to file upload, showing that the code is designed for a broader remote research agent rather than a strict file-format conversion utility. In the context of an agent skill that users are instructed to prioritize for formatting, this capability expansion increases the risk of unanticipated remote processing and data misuse.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are broad enough to route many ordinary spreadsheet-analysis requests into this skill, even when users may only want local inspection or simple Q&A. Over-broad invocation increases the chance of unnecessary external uploads and credential handling without informed consent. Given the skill's actual remote-processing behavior, ambiguous routing is materially risky.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill description normalizes uploading user Excel/CSV files to an external API without prominently warning about data transmission, retention, or privacy implications. Users may reasonably assume a local formatting step, but the actual design sends potentially sensitive tabular data to a remote provider. In a spreadsheet-processing skill, this lack of disclosure is high risk because such files often contain confidential records.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The skill directs users to provide AccessKey and SecretKey directly in chat without any warning about secret handling, persistence, or safer alternatives. This is dangerous because chat systems, logs, and downstream tools may retain those secrets, enabling account compromise beyond the immediate task. The risk is amplified because the credentials appear to be cloud API keys with potentially broad privileges.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The upload_files function opens local user-supplied files and sends their full contents to a remote API endpoint, yet the user-facing description does not prominently warn that the data leaves the local environment. This is especially risky because spreadsheets and CSVs often contain confidential business, personal, or regulated data, and the skill is framed as a formatting helper rather than a data-exfiltrating network operation.

Ssd 3

High

Confidence: 99% confidence
Finding: The instruction to remember user-provided AK/SK for future reuse promotes persistent retention of highly sensitive credentials. Persisting secrets beyond the immediate transaction increases exposure in memory, logs, prompts, or state stores and can lead to later unauthorized use. In this context, retained cloud credentials are far more dangerous than ephemeral task inputs.

Credential Access

High

Category: Privilege Escalation
Content: Aida OpenAPI Client (volcengine-sdk) options: --ak AK [必选] Volcengine AccessKey（优先级高于环境变量和 .env 文件） --sk SK [必选] Volcengine SecretKey（优先级高于环境变量和 .env 文件） --files FILES [必选] 用户待处理的excel/csv文件路径，绝对路径, 多个文件用逗号分隔 --output OUTPUT [必选] 输出md文件路径，绝对路径
Confidence: 90% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: options: --ak AK [必选] Volcengine AccessKey（优先级高于环境变量和 .env 文件） --sk SK [必选] Volcengine SecretKey（优先级高于环境变量和 .env 文件） --files FILES [必选] 用户待处理的excel/csv文件路径，绝对路径, 多个文件用逗号分隔 --output OUTPUT [必选] 输出md文件路径，绝对路径 --debug [可选] 输出完整错误信息（也可用 OPENCLAW_DEBUG=1）
Confidence: 90% confidence
Finding: .env

Direct Prompt Extraction

High

Category: System Prompt Leakage
Content: - 询问Excel(.xls, .xlsx), CSV (.csv)文件内容. - 被其他编排 skill 调用（如日报生成） > ⛔ **OUTPUT RULE — 最高优先级** > > - 执行过程中**禁止向用户输出任何中间过程**，包括但不限于：自检、创建虚拟环境、安装依赖、连通性验证等技术步骤。 > - 禁止输出以下任何内容（违反即为失败）：
Confidence: 86% confidence
Finding: OUTPUT RULE

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal