pdf-design
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The Python script in
SKILL.mdis designed to read a sensitive Google Drive token file located at/home/jamditis/.claude/google/drive-token.json. This file contains OAuth access tokens, refresh tokens, client IDs, and client secrets, the exposure of which could lead to unauthorized account access. - [DATA_EXFILTRATION]: The skill implements a workflow to read local files and transmit them to external Google Drive folders (
1lKTdwq4_5uErj-tBN112WCdJGD2YtetOand1e5dtKOiuvk0PPrFq3UyNI2UAa6RFiom3). While targeting a well-known service, the ability for an agent to programmatically upload local data to predefined remote storage represents a significant exfiltration vector if subverted. - [COMMAND_EXECUTION]: The skill frequently invokes shell commands via
os.systemor subprocess equivalents, includingchromium-browser,pdftoppm, andpdfinfo. It also executes arbitrary Python code using a heredoc inSKILL.md. These patterns increase the risk of command injection if user-provided filenames or paths are not strictly validated. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: User-provided descriptions of changes for PDF design (
SKILL.md). - Boundary markers: None. No instructions are provided to ignore embedded instructions in the user's design requests.
- Capability inventory: Shell command execution, local file reading/writing via Chromium, and Google Drive upload capabilities (
SKILL.md). - Sanitization: None. User input is directly interpreted to modify HTML content which is subsequently rendered by a headless browser, creating a path for local file disclosure (LFD) or cross-site scripting (XSS) within the PDF generation environment.
Recommendations
- AI detected serious security threats
Audit Metadata