minimax-docx

Security checks across malware telemetry and agentic risk

Overview

This DOCX skill is mostly purpose-aligned, but ordinary document requests could trigger broad local command execution, package installation, and persistent environment changes.

Install only if you are comfortable with a document skill that can run local setup commands, install dependencies, and read or modify DOCX-related files. Review setup.sh first, prefer minimal setup when possible, and require explicit confirmation before it reads arbitrary local paths or changes existing documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes shell commands (`bash`, `powershell`, `dotnet run`, helper scripts) but does not declare any permissions or execution boundaries. That creates a capability/consent gap: an agent may execute setup, conversion, validation, or preview commands with host-level access that the platform and user did not explicitly authorize.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a DOCX authoring/formatting skill, but it also performs environment setup, dependency installation, project restore/build, diagnostics, document conversion, and preview extraction. This expands the trust boundary significantly: using the skill for a simple document task may trigger package installation, shell execution, file conversion, or inspection of local documents and system state.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: ResolveComment ignores its commentId parameter and marks the first matching extensible comment element as done, so callers may resolve the wrong comment. In a document workflow system, this can silently alter review state and audit meaning, undermining integrity of approvals, review tracking, or compliance records.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The instruction to 'MUST use this skill whenever' a request implies a formal or printable document is overly broad and can capture many ordinary writing tasks that do not require local file manipulation or shell tooling. In context, that broad routing is more dangerous because the skill can run setup scripts, invoke CLI tools, inspect files, and modify documents, increasing unintended exposure and execution risk.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes very generic terms such as `document`, `Word`, `报告`, and `排版`, which are likely to match normal conversation unrelated to this specific local-shell-based skill. Because the skill has operational capabilities beyond simple text generation, accidental activation can lead to unnecessary file access, command execution, or environment changes.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill explicitly tells the agent to collect user-provided image file paths for inclusion in a DOCX, but it provides no guardrails about restricting access to workspace-approved files, obtaining explicit consent for local file reads, or avoiding sensitive paths. In an agent setting, this can normalize reading arbitrary local files and embedding their contents into generated documents, creating a path-based privacy and data exposure risk even if the immediate use case is legitimate document assembly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal