Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core functionality is to process untrusted data from external PDF documents, which serves as a vector for malicious instructions.
- Ingestion points:
pypdf.PdfReader,pdfplumber.open, andpytesseract.image_to_string(OCR) inSKILL.mdare used to read external files. - Boundary markers: Absent. The skill lacks delimiters (e.g., XML tags or markers) to separate extracted untrusted text from the agent's instructions.
- Capability inventory: The skill provides significant side-effect capabilities including file writing (
writer.write,df.to_excel,c.save) and execution of external command-line utilities (pdftotext,qpdf,pdftk,pdfimages) inSKILL.md. - Sanitization: Absent. There is no evidence of filtering, escaping, or validation of the text extracted from PDFs before it is used in subsequent agent logic.
- Unverifiable Dependencies (LOW): The skill references multiple external Python and system packages. While these are well-known and reputable (
pypdf,pdfplumber,reportlab,poppler-utils), they represent an external dependency surface.
Recommendations
- AI detected serious security threats
Audit Metadata