pdf-factory
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The script
scripts/fetch_icons.pydownloads SVG icons from the unpkg.com CDN usingurllib.request. While unpkg is a widely used CDN, it is not on the explicit whitelist of trusted sources, and runtime downloads represent a dependency on external infrastructure. - [COMMAND_EXECUTION] (LOW): The
scripts/install_deps.pyscript executes subprocess calls to install 13 Python packages. Although these are standard libraries for PDF processing (e.g., reportlab, xhtml2pdf), installing unversioned packages via pip/uv is a security concern that is mitigated here by the intended primary purpose of the skill. - [PROMPT_INJECTION] (LOW): The skill processes untrusted markdown and JSON (brand kit) data. This creates an indirect prompt injection surface. However, the sink is a PDF document, which limits the immediate execution risk.
- Ingestion points: Markdown source files and brand-specific manifest.json/zones.json files.
- Boundary markers: None identified in the documentation or scripts.
- Capability inventory: File system write access, network read access (icons), and subprocess execution for rendering/composition.
- Sanitization: Employs structural parsing (markdown library) and converts potentially risky vector formats (SVG) to raster (PNG) using svglib before rendering.
Audit Metadata