Word Reader

Security checks across malware telemetry and agentic risk

Overview

This Word Reader skill appears to do what it advertises, with installer and document-privacy cautions users should review.

Install only if you are comfortable with the dependency setup, preferably in a virtual environment or managed machine image. Avoid running the automatic installer with elevated privileges unless you trust the package sources, and only process or batch-export documents whose contents and metadata you are comfortable exposing to the agent and saving locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises capabilities that can write files (`--output results.json`) and invoke shell commands (`pip`, `sudo apt-get install antiword`) but does not declare corresponding permissions. This creates a trust and containment gap: users or orchestrators may treat the skill as low-privilege while it can modify the filesystem and trigger external command execution during installation or use.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The demo script alters a file under the skill installation path by adding execute permission with chmod +x. Even though this is framed as a convenience step, a demo for a document-reading skill should not mutate installed files at runtime, and doing so can normalize unsafe behavior or make an unintended script executable if the target path is replaced or tampered with.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The installer performs system-level package installation and modifies file permissions, which exceeds the narrow function of a Word-reading skill. While common in convenience installers, invoking OS package managers and changing executability increases the trust boundary and can alter the host environment in ways users may not expect.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: Using privileged package management is not strictly necessary for reading Word documents and creates a path for broad host modification if the script is run in a trusted context. Even without obvious malicious code, this grants the installer capability to change system packages and dependencies, increasing the blast radius of compromise or misuse.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The skill description presents itself as a Word reader, but `.doc` handling relies on invoking an external system utility (`antiword`) discovered from PATH. In an agent or multi-tenant environment, undisclosed execution of external binaries increases attack surface and can lead to unsafe parsing of malicious documents or execution of an unexpected binary if PATH is compromised.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This skill is designed to extract document text, tables, images metadata, and authoring metadata, then print or save the results, but it does not warn users that Word documents often contain sensitive or hidden information. In practice, this can lead to accidental disclosure of confidential content, personal data, internal metadata, or bulk leakage when batch mode and output files are used.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: { "id": "system", "kind": "system", "command": "sudo apt-get install antiword -y", "label": "Install antiword for .doc support (optional)", "platform": "linux-debian" }
Confidence: 94% confidence
Finding: sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal