pdf-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): This skill processes untrusted PDF files via 'extract.py', 'convert.sh', and 'parse.py'. This ingestion point lacks documented boundary markers or sanitization logic. Since the skill is granted 'Bash' and 'Write' capabilities, a malicious PDF could contain embedded instructions that hijack the agent to execute harmful system commands or overwrite local files.
- [Command Execution] (HIGH): The 'convert.sh' script and 'Bash' tool permission create a high risk of shell injection. Maliciously crafted file paths provided in the 'input_file' argument (e.g., using command delimiters like semicolons) could be used to execute arbitrary code on the host system.
- [Data Exposure] (MEDIUM): The 'Read' tool permission allows the skill to access any file the agent can reach. An attacker-controlled PDF could trigger an indirect prompt injection that instructs the agent to read and exfiltrate sensitive local files such as configuration secrets or credentials.
Recommendations
- AI detected serious security threats
Audit Metadata