pdf

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local PDF-processing skill, with the main caution that PDF contents and generated files may be sensitive.

Install if you want an agent to process PDFs you explicitly provide. Use copies of important files, treat extracted text, form values, validation images, and JSON metadata as sensitive, delete temporary artifacts when finished, install optional dependencies from trusted sources, and only decrypt or remove protection from PDFs you are authorized to handle.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The guide includes a qpdf example for decrypting a password-protected PDF without any caution about authorization, legal constraints, or data-handling risks. In an agent setting, such examples can normalize or automate removal of document protections on sensitive files, increasing the chance of unauthorized access or policy violations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The reference explicitly includes commands to decrypt password-protected PDFs and remove protection, but it does not warn that these actions must only be performed with proper authorization. In an agent skill, this can normalize or facilitate misuse against protected documents by presenting the capability as a routine operation without policy or consent guardrails.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal