Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is designed to extract text and structured data from external PDF files, creating a significant Indirect Prompt Injection surface.
- Ingestion points: Untrusted data enters the agent context via
PdfReader,pdfplumber.open,pdftotext, andpytesseractoperations across multiple code blocks inSKILL.md. - Boundary markers: There are no delimiters or instructions to the agent to ignore embedded commands within the extracted PDF text.
- Capability inventory: The skill explicitly includes file-writing capabilities (
writer.write,to_excel) and shell command execution (qpdf,pdftk,pdftotext), which could be abused if an injected prompt successfully hijacks the session. - Sanitization: No sanitization or validation of the extracted content is performed before it is processed by the agent.
- COMMAND_EXECUTION (LOW): The skill documentation includes several examples of executing external CLI tools (
qpdf,pdftk,poppler-utils). While these are standard for PDF processing, they provide the necessary primitives for an attacker to perform unauthorized actions if combined with a prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata