latex
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill creates a significant attack surface for Indirect Prompt Injection by ingesting external PDF content via marker_extract.py. The instructions direct the agent to 'extract and rewrite' this content into LaTeX templates without sanitization or clear boundary markers. This allows malicious instructions hidden in a PDF to influence the agent's actions or the generated LaTeX code.
- [COMMAND_EXECUTION] (HIGH): The skill executes system commands for LaTeX compilation (e.g., xelatex, bibtex). If malicious LaTeX macros (like \write18) are injected through the PDF processing pipeline, they could lead to arbitrary system command execution.
- [REMOTE_CODE_EXECUTION] (HIGH): Automated scans identified a pattern in marker_extract.py where data fetched from a local Ollama API (127.0.0.1:11434) is used in subprocess calls. This allows a local service or a compromised Ollama instance to control command execution within the skill's context.
- [EXTERNAL_DOWNLOADS] (LOW): The skill performs network operations to reach external LLM providers (OpenAI, DeepSeek, ChatAnywhere) and local model endpoints for processing.
Recommendations
- CRITICAL: Downloads and executes remote code from untrusted source(s): http://127.0.0.1:11434/api/tags - DO NOT USE
- AI detected serious security threats
Audit Metadata