invoice-organizer
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It instructs the agent to read the contents of untrusted files (PDFs, images, and screenshots) and extract information such as vendor names and descriptions. If an attacker-controlled invoice contains hidden instructions, the agent might execute them as part of its processing flow.
- Ingestion points: The skill reads content from PDF, JPG, and PNG files located in user-specified directories (SKILL.md).
- Boundary markers: The instructions lack explicit boundary markers or warnings to ignore embedded instructions within the extracted text.
- Capability inventory: The skill utilizes file system operations including
find,mkdir,cp, andmvcommands (SKILL.md). - Sanitization: There is no evidence of sanitization, escaping, or validation of the text extracted from the invoices before it is used to determine organization paths or create filenames.
- [COMMAND_EXECUTION]: The skill relies on executing shell commands to perform its core functions. It uses
findto locate files andmkdir,cp, andmvto restructure the file system. While these are intended behaviors for an organization tool, they represent the capability set that could be abused if an indirect prompt injection attack occurs.
Audit Metadata