Back to skill

Security audit

MiniMax DOCX

Security checks across malware telemetry and agentic risk

Overview

This DOCX skill is mostly aimed at Word-document work, but its setup can make broad and persistent changes to the user's machine and its routing is too broad for that level of authority.

Install only if you explicitly want a DOCX automation skill that may set up .NET, restore NuGet packages, install pandoc/LibreOffice/zip tooling, and change shell or NuGet configuration. Review setup.sh first, prefer the minimal setup path, and avoid running it on sensitive machines or with untrusted templates unless you are comfortable with preserved external document links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill invokes shell commands extensively (`bash`, PowerShell, helper scripts, `dotnet run`, LibreOffice conversion), yet no permissions model is declared. That creates an execution surface larger than the metadata suggests and can lead to unexpected command execution, dependency installation, filesystem changes, and external tool invocation when the skill is selected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill is presented as a DOCX authoring/formatting utility, but the instructions also include environment inspection, dependency validation, package/setup scripts, project building, external preview/conversion tools, and shell-based system operations. This mismatch hides materially broader behavior from routing and review systems, increasing the risk of unanticipated system modification or data exposure when the skill is invoked for an ordinary writing task.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real defect in the example code: the comment says the self-append bug is fixed, but the code still does `cell.AppendChild(cell)`, creating an invalid self-referential DOM operation instead of appending the cell to the row. In a skill intended for copy-paste DOCX generation, users are likely to reuse this snippet directly, causing runtime exceptions, malformed output, or document-generation pipeline failures.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The mail-merge examples introduce external data source references, which expands the skill from document formatting into linking documents to outside data. That can create privacy and integrity risks if attacker-controlled paths, URLs, or relationship IDs are embedded, causing unintended external data access, tracking, or unsafe document behavior when opened in Word. Because the skill description emphasizes DOCX creation/editing/formatting, this capability is broader than necessary and increases attack surface.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code copies all external relationships from template parts into the generated document, which can preserve attacker-controlled remote links in headers or footers. In a DOCX-processing skill that applies untrusted templates, this extends behavior beyond formatting transfer and can enable document-based tracking, external resource fetching, or delivery of unexpected linked content when the document is opened.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
ResolveComment accepts a specific commentId but never uses it, instead marking the first matching extensible comment element as done. In a document-processing skill, this can silently alter the wrong review record, allowing users or downstream workflows to treat unresolved comments as resolved and undermining document approval, audit, and review integrity.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup script fetches and executes a remote installer script from dot.net and performs package installation actions that go beyond pure DOCX generation. Even if intended for convenience, executing unaudited remote code during setup creates a supply-chain risk and materially broadens the trust boundary of the skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script installs optional tools such as pandoc and LibreOffice, expanding capability beyond the declared OpenXML/.NET scope. This increases attack surface and dependency risk, especially because these tools are installed automatically rather than as separately disclosed optional integrations.

Vague Triggers

High
Confidence
91% confidence
Finding
The skill says it 'MUST use this skill whenever' the user asks for many general writing tasks, even when `.docx` is not mentioned. That broad routing can cause the system to invoke a shell-capable, file-writing, environment-inspecting skill for ordinary text drafting requests, unnecessarily expanding attack surface and increasing the chance of unintended file operations or tool execution.

Vague Triggers

High
Confidence
89% confidence
Finding
Single-word triggers like `document`, `Word`, `报告`, and `排版` are highly ambiguous and likely to match benign conversational requests unrelated to DOCX generation. In this skill, false invocation is more dangerous because activation can lead to shell scripts, setup routines, local file processing, and external converters being used unnecessarily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Appending to the user's ~/.bashrc without prior consent is an unapproved persistence/configuration change. It can alter future shell behavior, create hard-to-debug environment issues, and violates least surprise for a document-processing skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script downloads and executes /tmp/dotnet-install.sh from the network without integrity verification or an explicit warning. If the download is tampered with or the remote source is compromised, arbitrary code can run under the user's account during setup.

Missing User Warnings

High
Confidence
98% confidence
Finding
The fallback branch also downloads and runs a remote installer script without integrity checks or prominent disclosure. This repeats the same supply-chain risk and makes execution more likely on unsupported platforms where users may have less visibility into what is happening.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.