The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The package.json file specifies a dependency on pdf-parse with version ^2.4.5. According to the official NPM registry, the pdf-parse package has not been updated in years and its latest stable version is 1.1.1. Specifying a significantly higher, non-existent version is a definitive indicator of a dependency confusion attack, where a malicious package with the higher version number is published to a public registry to override legitimate internal or older packages.
[COMMAND_EXECUTION]: The skill instructions in SKILL.md direct the agent to execute npm install --silent within the scripts directory. This command will trigger the download and installation of the suspicious pdf-parse@2.4.5 package, potentially executing malicious pre-install or post-install scripts on the host system.
[DATA_EXFILTRATION]: The JavaScript code in extract_pdf_text.js utilizes an API (new PDFParse) that does not exist in the legitimate pdf-parse library. This confirms the script is designed to interact with a compromised or malicious version of the library. Given the script has direct access to the file system (fs.readFileSync), a malicious dependency could easily exfiltrate the contents of processed PDFs or other sensitive files to an external server.
[PROMPT_INJECTION]: The skill exhibits a high surface area for indirect prompt injection as it processes untrusted external data (PDFs) and extracts text for agent use.
Ingestion points: The extract_pdf_text.js script reads binary data from an arbitrary file path provided as {입력.pdf}.
Boundary markers: The skill lacks any delimiters or instructions to the agent to ignore potentially malicious commands embedded within the extracted PDF text.
Capability inventory: The skill has the ability to read from and write to any path on the file system via the fs module.
Sanitization: There is no validation or sanitization of the extracted text content before it is written to the output file or returned to the agent context.

pdf-parser