Back to skill

Security audit

Office Automation

Security checks across malware telemetry and agentic risk

Overview

This looks like a real local office-automation skill, but it can batch rename and overwrite documents in place without enough safeguards.

Install only if you are comfortable reviewing and controlling the exact folders it touches. Test on copies first, keep backups, and avoid running the rename or Word replacement actions on important business, HR, finance, or customer documents until safeguards such as dry-run, confirmation, backups, and collision checks are added. I found no artifact-backed evidence of malware or hidden data upload; the Review verdict is for unsafe bulk-edit controls, not malicious intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill description promotes bulk file modification and mass email sending without prominent warnings about destructive changes, privacy exposure, credential handling, or accidental data leakage. In an office-automation context, these operations can affect large numbers of documents or recipients at once, so missing safeguards materially increases the chance of harmful user mistakes or misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The batch rename flow shows a preview but then immediately performs in-place renaming with no confirmation, dry-run mode, or rollback mechanism. This is dangerous because a mistaken pattern or unexpected filename collision can irreversibly rename many files at once, causing operational disruption and potential data handling errors.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Word batch replacement routine modifies .docx files in place and saves directly over the originals without backups, confirmation, or output-directory separation. If the replacement text is wrong, too broad, or the document formatting is altered unexpectedly, the original content may be lost across many files at once, making recovery difficult.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.