pdf-reader
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes content from external PDF files which may contain instructions targeting the AI agent.\n
- Ingestion points: Extracted text is read by the agent from
pdftotextoutput and thescripts/extract.pyscript.\n - Boundary markers: Output contains minimal separation (e.g., '--- Page 1 ---'), which does not provide a robust security boundary to prevent instruction obedience.\n
- Capability inventory: The agent is tasked with summarizing and analyzing the extracted text, creating a direct path for injection.\n
- Sanitization: No sanitization or filtering is performed on the text extracted from the PDF.\n- [EXTERNAL_DOWNLOADS]: The skill downloads PDF files from user-provided URLs.\n
- Evidence:
curl -sL "URL" -o /tmp/document.pdfinSKILL.md.\n- [COMMAND_EXECUTION]: The skill instructs the agent to execute various command-line tools for document processing.\n - Evidence: Uses
pdftotext,pdfinfo,pdfimages, andpython3 scripts/extract.py.
Audit Metadata