Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a classic Indirect Prompt Injection surface (Category 8).
- Ingestion points: Untrusted data enters the agent's context through several files and methods, including
pypdf.PdfReader,pdfplumber.open, and OCR viapytesseract(File: SKILL.md). - Boundary markers: The skill lacks any instructions or delimiters to isolate extracted PDF text or warn the agent to ignore instructions embedded within the processed documents.
- Capability inventory: The skill documentation guides the agent to use high-privilege capabilities including Python code execution (
pypdf,pdfplumber,reportlab) and shell command execution (qpdf,pdftk,pdftotext). - Sanitization: There is no evidence of sanitization or filtering of the content extracted from PDFs before it is interpreted by the agent.
- COMMAND_EXECUTION (MEDIUM): The skill promotes the use of external CLI tools (
qpdf,pdftk,poppler-utils). While these are standard tools, executing them with arguments potentially derived from untrusted PDF metadata or content presents a risk of command injection if the agent does not strictly validate inputs.
Recommendations
- AI detected serious security threats
Audit Metadata