(Harmful) Additional Skin Data

A friend of mine and I found a weird behaviour in the skin upload function on minecraft.net which I would definitely describe as unintended

When additional data is added to the skin png after the actual image content, it doesn't get cut off during the skin upload.

We tried this with the Minecraft account mammut54 and uploaded a manipulated skin png through the minecraft.net website.

-Skin URL: http://textures.minecraft.net/texture/ 3d32feff8e36cc696312a079688d877b529d7a73b25a6834bba6f2bbbe2a188
(There's a whitespace inbetween the url so nobody accidentally clicks on it)

Additional data after the image:

As you can see, there are 3 batch commands after the image, which disable the mouse on any Windows system, so I do not recommend running this. Any modern antivirus program should detect this. When I open the skin url in my browser, Windows Defender instantly notifies me of a Trojan:BAT/Disablemouse. Nothing special.
The problem is, that joining on a Minecraft server where this player is online, triggers a skin download in the client.
Windows Defender automatically detects the "harmful" file:

Although the file doesn't get executed and therefore it isn't too critical, I don't think that this is intended.