pdf-reader
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest untrusted external data (PDF content) and feed it into the agent's context. There are no boundary markers or instructions to the agent to treat this data as untrusted.
- Ingestion Point: The
scripts/read_pdf.pyscript extracts text and tables from user-provided PDF files. - Boundary Markers: Absent. The
SKILL.mdworkflow simply states the extracted text is 'shown' or 'saved', meaning it enters the conversation history directly. - Capability Inventory: The agent has the capability to write files (via a 'Write' tool mentioned in
SKILL.md) and execute shell commands via WSL. - Sanitization: None. The script extracts raw text and table data without any filtering or escaping.
- Data Exposure (MEDIUM): The
scripts/read_pdf.pyscript takes a file path as a command-line argument without validation or sandboxing. While it issues a warning if the file doesn't end in.pdf, it proceeds to attempt to open and read the file usingpdfplumber. An attacker could attempt to read sensitive files (e.g.,.env,.ssh/config) if they can be processed by the library or if the error output leaks content. - Command Execution (LOW): The skill's operational model involves the agent constructing and executing shell commands (e.g.,
wsl python3 scripts/read_pdf.py ...). If the agent does not properly escape the file path provided by the user, this could lead to local command injection on the host or WSL environment.
Recommendations
- AI detected serious security threats
Audit Metadata