Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill facilitates the ingestion of untrusted external data from PDF files, creating a significant vulnerability to indirect prompt injection. Ingestion points: The skill uses
pypdf.PdfReader,pdfplumber.open, andpytesseract(viapdf2image) to read content from external files likedocument.pdf. Boundary markers: There are no boundary markers, delimiters, or system instructions provided to ensure the agent ignores or treats embedded text within the PDFs as untrusted data. Capability inventory: The skill has powerful write capabilities viaPdfWriter.write,pandas.to_excel, andcanvas.save, and it can execute system utilities. Sanitization: No logic is present to sanitize extracted text, metadata, or table data before it is used in downstream tasks or written to disk. - [Command Execution] (MEDIUM): The skill includes instructions for using command-line utilities such as
qpdf,pdftk, andpdftotext. This increases the attack surface as an agent might be manipulated via a malicious PDF to interpolate unsanitized strings into these system-level commands.
Recommendations
- AI detected serious security threats
Audit Metadata