Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill parses untrusted PDF documents and metadata (Ingestion points: SKILL.md via pypdf and pdfplumber). Maliciously crafted files or metadata fields (e.g., Title, Author) can contain instructions that override agent behavior. \n
- Boundary markers: Absent. The skill provides no mechanisms to delimit extracted text or warn the agent about embedded instructions. \n
- Capability inventory: The skill enables file system modifications (PdfWriter.write, canvas.save) and subprocess execution of system utilities (qpdf, pdftotext, pdftk). \n
- Sanitization: No sanitization, validation, or filtering of extracted content is performed. \n- [Command Execution] (MEDIUM): The documentation provides examples for the agent to use shell-based tools like qpdf, pdftotext, and pdftk. If the agent constructs these commands using untrusted data from a PDF (e.g., a filename or password) without rigorous escaping, it could lead to command injection. \n- [External Downloads] (LOW): The skill references several external dependencies including pypdf, pdfplumber, pandas, reportlab, pytesseract, pdf2image, pypdfium2, and pdf-lib. While these are common libraries, they represent an external dependency surface that should be audited for version integrity.
Recommendations
- AI detected serious security threats
Audit Metadata