Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to process untrusted data from external sources, creating a high-risk attack surface.
- Ingestion points: Functions like
PdfReader,pdfplumber.open, andconvert_from_path(used for OCR) extract text and metadata from user-provided PDF files. - Boundary markers: The skill provides no instructions or markers to help the agent distinguish between extracted data and system instructions.
- Capability inventory: The skill enables the agent to execute shell commands (
qpdf,pdftotext,pdftk,pdfimages) and perform file-system write operations (writer.write,to_excel). - Sanitization: There is no evidence of sanitization, filtering, or validation of the content extracted from PDF documents before it is processed by the agent.
- [Command Execution] (MEDIUM): The skill documentation encourages the use of various command-line utilities. If the agent constructs these commands using untrusted metadata (such as filenames, titles, or author fields extracted from the PDF), it could lead to command injection vulnerabilities.
Recommendations
- AI detected serious security threats
Audit Metadata