ebook-to-md

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but it sends full documents to Baidu and automatically fetches returned image URLs without enough user control or disclosure.

Review before installing if you process confidential, regulated, or business-sensitive documents. Use it only for files you are allowed to send to Baidu, keep Baidu credentials scoped, install Calibre from a trusted source, and be aware that image links returned by the parser may be fetched automatically unless inline image handling is disabled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

Medium

Confidence: 80% confidence
Finding: The skill metadata says it 'Uses Baidu OCR only', but MOBI/EPUB handling invokes local Calibre `ebook-convert`. This discrepancy expands the trust boundary to a local document-conversion binary, which increases attack surface and could expose the host to parser vulnerabilities in Calibre when processing untrusted ebooks.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code downloads arbitrary URLs found in OCR/parser-produced `<img src=...>` content using `requests.get` with no host allowlist, scheme restriction, timeout, or size limits. Because the Markdown/parse result comes from a remote service, this creates an SSRF-style primitive and can be abused to make the host fetch internal resources or large attacker-controlled payloads.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The skill mandates Baidu OCR with no language, locale, or provider choice and no explicit consent flow. In this context, users may submit sensitive PDFs, images, or ebooks without realizing their contents are being sent to a third-party OCR provider, creating privacy, compliance, and data residency risks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill uploads full document contents to Baidu for parsing without an explicit user-facing warning or consent at the point of transmission. In a document-conversion skill, this is materially sensitive because users may submit private PDFs, images, or ebooks and may reasonably expect local-only processing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal