Skills
skills/krishagel/geoffrey/pdf/Gen Agent Trust Hub

pdf

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill's primary purpose is to ingest untrusted external data from PDF files.
  • Ingestion points: Uses pypdf.PdfReader, pdfplumber.open, and pytesseract to extract content from files like document.pdf and scanned.pdf.
  • Boundary markers: There are no delimiters or instructions to treat extracted text as untrusted data.
  • Capability inventory: The skill is granted Bash, Write, and Edit permissions in its frontmatter.
  • Sanitization: No sanitization or validation of extracted text is performed before it enters the agent's context.
  • [Metadata Poisoning] (MEDIUM): The skill references external files forms.md and reference.md for 'instructions' and 'advanced features.' These files are missing from the package, creating a risk where an agent might be directed to follow unverified or malicious instructions if those files are provided by an external source.
  • [Command Execution] (HIGH): The explicit inclusion of the Bash tool in the allowed-tools list, combined with the logic to process external content, creates a direct vector for command injection if the agent is persuaded to execute shell commands based on text found inside a processed PDF.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 06:01 AM