Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted PDF files to extract text and tables. This creates a significant attack surface where malicious instructions embedded in a PDF could influence the agent's behavior. 1. Ingestion points: PDF reading via
pypdf(PdfReader) andpdfplumber(open) inSKILL.md. 2. Boundary markers: Absent. The skill does not implement delimiters or instructions to ignore embedded commands in extracted content. 3. Capability inventory: File system write operations (writer.write,to_excel) and shell command execution (qpdf,pdftk). 4. Sanitization: Absent. No filtering or escaping of extracted text is performed. - [Command Execution] (MEDIUM): The skill documentation encourages the use of CLI tools (
qpdf,pdftk,pdftotext). If an agent uses these tools with unsanitized filenames or metadata derived from untrusted PDF files, it could lead to command injection vulnerabilities.
Recommendations
- AI detected serious security threats
Audit Metadata