Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection through malicious PDF files.
- Ingestion points: Untrusted external data is ingested via
PdfReader,pdfplumber.open, andconvert_from_pathin SKILL.md. - Boundary markers: Absent. There are no instructions to the agent to treat extracted content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill allows for significant side effects, including file modification via
writer.write,c.save, andto_excel, as well as command-line tool execution (qpdf,pdftk). - Sanitization: Absent. Extracted text, metadata, and table data are processed without any validation or filtering.
- Risk: Maliciously crafted PDFs could contain hidden instructions that cause the agent to perform unauthorized file operations or deviate from its intended behavior.
Recommendations
- AI detected serious security threats
Audit Metadata