document-granular-decompose
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/mineru_fulltext_extract.pyaccepts a--fileargument and reads the content of local files. While restricted by an extension allowlist, it enables the reading and processing of arbitrary local documents. - [COMMAND_EXECUTION]: The script includes an
--insecureflag that disables TLS certificate verification by usingssl._create_unverified_context(). This bypasses standard network security protocols and makes the connection vulnerable to man-in-the-middle (MitM) attacks. - [DATA_EXFILTRATION]: The skill transmits the contents of local documents to an external API endpoint defined by the
UNSTRUCTURED_API_BASE_URLenvironment variable, which allows potentially sensitive data to be sent to a remote server. - [PROMPT_INJECTION]: The skill processes untrusted document content and returns it as plain text to the agent, creating a surface for indirect prompt injection. \n
- Ingestion points: Document content is read from local files in
scripts/mineru_fulltext_extract.py. \n - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when processing the document text. \n
- Capability inventory: The script has the capability to read local files and perform network POST requests. \n
- Sanitization: The extracted text is returned without sanitization or filtering.
Audit Metadata