Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process external, untrusted content (PDF documents) and possesses high-privilege capabilities including file writing and shell command execution.
- Ingestion points: Untrusted data enters the agent context through
PdfReader,pdfplumber.open, andconvert_from_pathas documented inSKILL.md. - Boundary markers: No markers or delimiters are suggested to help the agent distinguish between document content and system instructions.
- Capability inventory: The skill enables file system modifications (
writer.write,to_excel,canvas.save) and shell command execution via tools likeqpdfandpdftotext. - Sanitization: No sanitization, validation, or filtering logic is present in the provided examples to mitigate instructions embedded in PDF text or metadata.
Recommendations
- AI detected serious security threats
Audit Metadata