Back to skill

Security audit

MiniMax PDF

Security checks across malware telemetry and agentic risk

Overview

This PDF skill appears purpose-built, but normal use can automatically install packages/browser components and fetch remote or local assets without strong containment.

Use only in an isolated virtual environment or container. Preinstall reviewed dependencies yourself where possible, avoid running the auto-fix path on a system Python, and do not use remote cover images or confidential local file paths unless network and local-file rendering are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (29)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ensure_deps():
    if importlib.util.find_spec("pypdf") is None:
        import subprocess
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "pypdf"]
        )
Confidence
94% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "pypdf"] )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ensure_deps():
    if importlib.util.find_spec("pypdf") is None:
        import subprocess
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "pypdf"]
        )
Confidence
96% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "pypdf"] )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ensure_deps():
    if importlib.util.find_spec("pypdf") is None:
        import subprocess
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "pypdf"]
        )
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q", "pypdf"] )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
missing.append("pypdf")
    if missing:
        import subprocess
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q"] + missing
        )
Confidence
98% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q"] + missing )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if importlib.util.find_spec(p) is None]
    if missing:
        import subprocess
        subprocess.check_call(
            [sys.executable, "-m", "pip", "install",
             "--break-system-packages", "-q"] + missing
        )
Confidence
97% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "pip", "install", "--break-system-packages", "-q"] + missing )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs use of shell commands, environment checks, dependency installation, and file-writing behavior, yet it declares no corresponding permissions or safety boundaries in the skill metadata. This creates a mismatch between apparent capabilities and declared trust constraints, increasing the risk that an agent may invoke filesystem or shell actions without explicit user awareness or policy gating.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README explicitly states that cover fonts are fetched from Google Fonts at render time, which introduces outbound network access during normal skill execution. That expands the trust boundary beyond local PDF generation, can leak usage metadata or document-related timing/context to a third party, and creates a supply-chain and reproducibility risk not clearly disclosed as part of the skill's core behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Allowing cover_image to be an absolute URL or file:// path means the PDF rendering path can fetch arbitrary remote resources or read local files during Playwright rendering. In a PDF-generation skill, this meaningfully expands capability beyond formatting and can enable SSRF, internal network probing, local file disclosure, and privacy leaks if user-controlled input reaches this token.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Explicit support for arbitrary file:// image loading is dangerous because it can cause the renderer to access local files on the host machine and embed their contents into output or otherwise expose their existence. Given this is a document-design skill, local filesystem read capability is not necessary for normal operation and materially increases attack surface.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script directly embeds externally supplied URLs into CSS @import and image src attributes, causing the generated HTML/PDF rendering path to fetch remote resources. This creates privacy leakage, non-deterministic output, and a server-side request surface if untrusted tokens are accepted, which is riskier than expected for a local document-generation skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A PDF field inspection utility should only read and report document metadata, but this code silently performs package installation as a side effect. That behavior can execute untrusted package-install hooks, introduce dependency confusion or supply-chain risk, and violates least surprise for a document-processing tool.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Automatically installing packages during PDF form filling is unsafe because processing a local document should not trigger package management side effects or external package retrieval. In an agent/skill context, this is more dangerous because invoking a seemingly simple document task can unexpectedly modify the host environment and execute newly downloaded code.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Installing Python packages during normal execution is not necessary for merging PDFs and expands the script's behavior beyond document processing into environment mutation. This creates supply-chain exposure and allows an ostensibly local PDF operation to reach out for code installation without user awareness or review.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill's stated purpose is PDF merge/formatting, but the code also changes the execution environment by installing software. That mismatch increases risk because users and orchestrators may grant the skill file-processing trust while not expecting package management actions that can persist beyond the task and affect other workloads.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A document parsing skill should not silently install software as part of normal execution. Even though the package name is hardcoded to pypdf, this behavior introduces supply-chain risk, unexpected network activity, and host modification that is disproportionate to the skill's purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Bootstrapping dependencies by calling pip during document rendering is a real security issue because it turns a data-processing operation into one that performs network-based software installation and arbitrary package code execution. In this skill, that behavior is especially risky because PDF generation would normally be expected to be deterministic and local, not to mutate the runtime or pull code dynamically.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script attempts to resolve Playwright from a global npm installation by executing `npm root -g` and then loading code from that location. While likely intended as a convenience fallback, it expands the skill's behavior from document rendering into interacting with the host package environment and trusting globally installed modules, which can execute unreviewed code in the agent context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
On browser launch failure, the script invokes `npx playwright install chromium` with `shell: true`, causing host-level software installation during normal execution. This exceeds the stated PDF-rendering purpose and introduces package-manager/network side effects, which can be abused in sensitive environments or violate least-privilege expectations for an agent skill.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The README advertises `bash scripts/make.sh fix` as an auto-install step without clearly warning that it may modify the host system by installing packages and tools. In an agent-executed context, such undocumented system changes can violate least surprise, alter the environment, and increase the risk of unintended package installation or privilege-sensitive operations.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The README notes runtime Google Fonts loading but does not prominently warn users about the associated privacy and network behavior. Even if the network access is intentional for visual quality, failing to disclose it can mislead operators into treating the skill as purely local, which is especially problematic in restricted or sensitive environments.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad, natural-language requests such as 'make a PDF', 'generate a report', and 'reformat this document', which are common across many benign workflows. This can cause accidental or over-broad routing into a powerful skill that performs shell-based document processing and file output, increasing the chance of unintended execution on user content or local files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation permits remote and local image fetching without any warning about privacy, local file access, or network side effects. That omission increases the likelihood of unsafe use: users or downstream components may unknowingly trigger requests to third parties or access local resources while generating a PDF.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code performs undisclosed remote fetching during document rendering through Google Fonts imports, which can surprise operators and leak metadata such as IP address, timing, and document-generation activity to third parties. In an agent skill marketed around PDF creation, hidden network dependence materially increases risk because users may expect purely local rendering.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script installs pypdf without any user warning, confirmation, or opt-in, so merely running a local inspection command may trigger environment modification and remote package retrieval. In a skill context intended for document handling, this hidden behavior is more dangerous because users are likely to expect passive file analysis, not software installation with elevated packaging flags.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script installs a package via pip without warning or confirmation, so users or calling agents may trigger environment changes and arbitrary package installation as a side effect of normal operation. The use of --break-system-packages further increases risk by bypassing protections intended to preserve system Python integrity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/make.sh:79

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/render_cover.js:41