Security audit

pdf-processor-for-minimax

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PDF-to-MiniMax helper, but users should treat PDF contents and API keys as sensitive when using it.

Install only if you are comfortable sending the selected PDF's extracted text and images to MiniMax for analysis. Use a dedicated API key where possible, review or pin the Python dependencies, and avoid confidential PDFs unless MiniMax's data handling terms meet your needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly extracts PDF text and images and sends them to the MiniMax API, which means potentially sensitive document contents leave the local environment. While this appears to be the intended functionality rather than credential theft or covert exfiltration, the absence of an explicit user-facing warning and consent step creates a real privacy and data-handling risk, especially for confidential PDFs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal