Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from external PDF files which serves as a primary attack vector.
- Ingestion points: The skill uses
PdfReaderandpdfplumber.opento read local PDF files, andconvert_from_pathfor OCR processing inSKILL.md. - Boundary markers: Absent. There are no instructions provided to the agent to delimit or ignore instructions found within the processed PDFs.
- Capability inventory: The skill possesses file writing capabilities (
writer.write,combined_df.to_excel,c.save()) and encourages system command execution through tools likeqpdfandpdftk. - Sanitization: Absent. The skill does not perform any validation or filtering of the content extracted from the PDFs before processing or using it in further logic.
- Command Execution (MEDIUM): The skill documentation promotes the use of external CLI utilities.
- Evidence: The
SKILL.mdfile provides specific command-line examples forpdftotext,qpdf, andpdftk. - Risk: These tools are typically invoked via subprocess calls. If an agent's reasoning is compromised by instructions inside a PDF, these tools provide a mechanism for the attacker to perform unauthorized file manipulations or system operations.
Recommendations
- AI detected serious security threats
Audit Metadata