Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection because it processes untrusted PDF data from external sources and possesses high-privilege capabilities.
- Ingestion points: Processes external PDF files using
PdfReader,pdfplumber.open, andconvert_from_pathas seen inSKILL.md. - Boundary markers: Absent. There are no delimiters or instructions to the agent to disregard embedded commands within the PDF content.
- Capability inventory: The skill allows filesystem writes (
writer.write,df.to_excel,c.save) and execution of shell commands (pdftotext,qpdf,pdftk,pdfimages) inSKILL.md. - Sanitization: Absent. No validation or filtering is applied to extracted text, metadata, or table data before it is processed or written back to the system.
- [COMMAND_EXECUTION] (LOW): The skill documents the use of several system binaries (
pdftotext,qpdf,pdftk,pdfimages). While standard for PDF processing, these tools increase the attack surface if the agent is tricked into executing them with malicious arguments via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata