The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process content from external PDF files, which is a significant attack surface for indirect prompt injection.
Ingestion Points: Content is ingested via pypdf.PdfReader and pdfplumber.open as seen in SKILL.md.
Capability Inventory: The skill demonstrates file-writing capabilities including writer.write(), combined_df.to_excel(), and canvas.save().
Boundary Markers: There are no instructions or patterns provided to delimit extracted text or warn the agent to ignore instructions embedded within the PDF content.
Sanitization: No sanitization or validation of the extracted text is performed before it is potentially used in downstream agent reasoning or file operations.
Command Execution (MEDIUM): The skill explicitly documents the use of various command-line utilities for PDF processing.
Evidence: Documentation includes examples for pdftotext, qpdf, pdftk, and pdfimages in SKILL.md.
Risk: If an agent adopts these patterns to perform tasks, it will be executing shell commands. When combined with input derived from untrusted PDFs (e.g., filenames or metadata), this could lead to command injection if not properly sanitized.
External Downloads (LOW): The skill references several external Python dependencies required for OCR and table extraction.
Evidence: Comments in SKILL.md suggest pip install pytesseract pdf2image and usage of pandas and pdfplumber.
Analysis: While these are well-known libraries, they represent an external dependency chain that should be verified for version pinning and integrity.
Credentials Unsafe (LOW): A placeholder password is used in a command-line example.
Evidence: qpdf --password=mypassword --decrypt encrypted.pdf decrypted.pdf in SKILL.md.
Analysis: This is an informational finding as 'mypassword' is a clear documentation placeholder, but it highlights the risk of agents potentially logging or handling passwords in plaintext command-line arguments.

pdf