paperless-ngx
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile employs aggressive instructional language, such as '⚠️ MANDATORY SKILL INVOCATION ⚠️' and statements that failure to invoke the skill 'violates your operational requirements.' These patterns are designed to coerce the AI agent into specific behaviors and override its default tool-selection logic. - [COMMAND_EXECUTION]: The skill operates via several Bash scripts (
paperless-api.sh,tag-api.sh,correspondent-api.sh,bulk-api.sh) that usecurlandjqto perform network operations and process data. These scripts provide a significant capability surface for interacting with local files and remote APIs. - [DATA_EXFILTRATION]: The
uploadanddownloadcommands inscripts/paperless-api.shfacilitate the movement of data between the local file system and a remote server. While intended for document management, these tools allow the agent to read local files for upload or write remote content to local paths. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves OCR-extracted text from documents via the
searchandgetcommands inscripts/paperless-api.sh. This untrusted data is fed directly into the agent's context. - Ingestion points:
scripts/paperless-api.sh(search results and document details). - Boundary markers: None; the scripts do not wrap OCR content in delimiters or include instructions to ignore embedded commands.
- Capability inventory: The skill has extensive capabilities including file-write (download), file-read (upload), and deletion/modification of data on the remote server.
- Sanitization: There is no evidence of sanitization or filtering of the text content extracted from the document management system.
Audit Metadata