office-combo
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): High-risk vulnerability surface detected. The skill ingests untrusted content from various document formats (PDF, XLSX, DOCX) and provides the agent with powerful Python and shell execution capabilities to process this data. * Ingestion points: Document opening methods like pypdf.PdfReader and pdfplumber.open in references/pdf.md. * Boundary markers: Absent; data is extracted and handled as raw text. * Capability inventory: Includes arbitrary Python execution, local file system write access (writer.write, to_excel), and shell utility execution (qpdf, pdftotext). * Sanitization: No input validation or instruction-ignoring delimiters are present.
- [Command Execution] (MEDIUM): The skill explicitly instructs the agent to run CLI tools like qpdf and pdftotext. This presents a risk if the agent's logic is subverted by malicious file content to execute commands against the host system.
- [Metadata Poisoning] (LOW): The references/INDEX.md file contains hardcoded absolute paths (/Users/dengwenyu/.pi/...), leaking the creator's username and local file structure.
Recommendations
- AI detected serious security threats
Audit Metadata