Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests execution of commands requiring administrative privileges to install system utilities.
- Evidence: 'sudo apt-get install -y poppler-utils' in SKILL.md. This allows for privilege escalation within the execution environment.
- The rendering command 'pdftoppm -png $INPUT_PDF $OUTPUT_PREFIX' uses variable interpolation which could be vulnerable to shell injection if input filenames are not properly sanitized.
- [EXTERNAL_DOWNLOADS]: The skill automates the installation of several third-party dependencies from public repositories.
- Evidence: Installation of 'reportlab', 'pdfplumber', and 'pypdf' via pip, and 'poppler' via brew or apt-get in SKILL.md.
- [PROMPT_INJECTION]: The skill processes untrusted PDF data, making it susceptible to indirect prompt injection attacks where malicious content in a PDF influences agent behavior.
- Ingestion points: Untrusted PDF files are ingested and parsed for text and layout in SKILL.md.
- Boundary markers: None. The skill does not define clear boundaries or 'ignore' instructions for the content extracted from PDFs.
- Capability inventory: The agent can execute shell commands (pdftoppm) and perform file system operations (writes to tmp/ and output/ directories).
- Sanitization: No sanitization or validation logic is specified for the text extracted from PDF documents before it enters the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata