Document Processing

Security checks across malware telemetry and agentic risk

Overview

This document-processing skill is coherent and disclosed, but users should be careful before enabling Feishu syncing for sensitive documents.

Install only if you are comfortable processing local documents with these Python libraries and, if you configure Feishu, sending selected document content or extracted results to Feishu cloud destinations. Use least-privilege OCR and Feishu tokens, confirm the folder/table/message recipients, and avoid enabling sync for confidential or regulated files unless that destination is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly advertises automatic syncing of documents, extracted content, and processing results to Feishu, but provides no warning that potentially sensitive document content and metadata will be transmitted to an external service. In a document-processing context, this increases the risk of unintended data exfiltration, privacy violations, and compliance issues because users may reasonably expect local-only processing unless outbound sharing is clearly disclosed and consented to.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal