pdf-to-markdown
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill uses
subprocess.runto execute the 1Password CLI (op read). This grants the script access to the user's decrypted secrets vault. While the path is currently hardcoded, any vulnerability in the script could allow an attacker to read arbitrary secrets if the vault is unlocked. - [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection surface via PDF ingestion.
- Ingestion points:
input_pathinconvert_to_markdown.pyreads external PDF files. - Boundary markers: None. PDF content is parsed directly into Markdown.
- Capability inventory: The skill has
Bashpermissions and can write files to the user's~/Desktopor arbitrary paths provided via arguments. - Sanitization: Only removes image tags; it does not sanitize the text content against malicious instructions. If the output Markdown is fed into another AI agent (as suggested in the 'Common Use Cases'), the instructions inside the PDF can hijack that agent.
- [CREDENTIALS_UNSAFE] (HIGH): The script hardcodes a specific 1Password secret reference:
op://Geoffrey/Gemini/api-key. This exposes the internal vault structure and the specific location of sensitive credentials. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill documentation and
marker-pdflibrary behavior involve downloading 1-2GB of ML models at runtime to~/.cache/marker/. These downloads are from unverified remote sources (GitHub/HuggingFace) and are executed/loaded during the conversion process.
Recommendations
- AI detected serious security threats
Audit Metadata