Back to skill

Security audit

AI-powered PDF organizer with smart naming

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PDF-organizer skill, but users should know it may send extracted PDF text to an external AI provider and rename or move local files.

Use a dedicated API key, start with dry_run or backed-up test PDFs, and avoid processing confidential, regulated, or proprietary documents unless sending extracted text to the chosen AI provider is approved. Also review the actual Python implementation and dependencies before running them, since they were not included in this package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states it uses OpenAI/Kimi APIs to analyze PDF contents, but it does not clearly warn users that document text may be transmitted to a third-party service. This can cause unintended disclosure of sensitive, proprietary, or regulated data because users may assume processing is local when organizing files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.