working-with-documents
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is designed to ingest data from untrusted external sources, creating a high risk for indirect prompt injection.
- Ingestion points: Content extraction is performed via
pandoc,pdfplumber,pdftotext,markitdown, andpytesseract(SKILL.md). - Boundary markers: No delimiters or isolation instructions are present to differentiate document content from system instructions.
- Capability inventory: The skill can execute complex system commands (
soffice,qpdf,pandoc), modify the filesystem, and perform OCR, providing significant impact for any successful injection. - Sanitization: There is no evidence of filtering or sanitization of the extracted text before it is processed by the agent.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies extensively on shell command execution for utilities like LibreOffice (
soffice),qpdf, andpandoc. This presents a risk of command injection if file paths or extracted content are improperly handled during command construction. - [EXTERNAL_DOWNLOADS] (LOW): The skill requires a large number of Python and Node.js packages, as well as system-level utilities (
apt-get install). While these are from established repositories, they expand the overall attack surface and require elevated privileges for setup.
Recommendations
- AI detected serious security threats
Audit Metadata