kb-retriever
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill provides tools and extensive documentation for processing external, untrusted content (PDFs and Excel files).
- Ingestion points: Untrusted data enters the agent context through
scripts/convert_pdf_to_images.py(which processes PDFs) and the methods described inreferences/pdf_reading.mdandreferences/excel_reading.md. - Boundary markers: Absent. There are no instructions or scripts that implement delimiters (e.g., XML tags) or system instructions to treat the extracted content as untrusted data.
- Capability inventory: The skill enables file system write operations (
scripts/convert_pdf_to_images.py) and documents the use of shell commands for document processing. This combination of reading untrusted data and having execution capabilities is a high-risk surface. - Sanitization: Absent. No logic is provided to filter, escape, or validate the text extracted from documents for malicious instructions.
- Command Execution (MEDIUM):
references/pdf_reading.mdexplicitly instructs the agent to use shell commands likepdftotext,pdftoppm, andpdfimages. While these are standard tools, the lack of input sanitization on filenames or parameters could lead to command injection if an attacker provides a maliciously named file.
Recommendations
- AI detected serious security threats
Audit Metadata