Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): The skill instructs the agent to use
sudo apt-get install -y poppler-utils. Executing commands with root privileges allows for full system compromise if misused. - Command Execution (HIGH): The rendering command
pdftoppm -png $INPUT_PDF $OUTPUT_PREFIXis vulnerable to shell command injection. If a malicious file name (e.g.,'; touch exploit; #.pdf) is provided, it could execute arbitrary code on the host. - Indirect Prompt Injection (HIGH): The skill is designed to read and review external PDF files which serves as a significant attack surface. * Ingestion points: External PDF files processed via
pdfplumber,pypdf, andpdftoppm. * Boundary markers: None; the skill lacks delimiters or instructions to ignore embedded commands within the PDFs. * Capability inventory: File system writes (output/pdf/), shell command execution (pdftoppm), and complex data parsing. * Sanitization: No validation or sanitization of PDF content or metadata is performed before processing. - External Downloads (LOW): The skill installs standard Python packages (
reportlab,pdfplumber,pypdf). While these are from the official PyPI registry, they are not version-pinned, which can lead to supply chain risks or breaking changes.
Recommendations
- AI detected serious security threats
Audit Metadata