slidekit-templ
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core function is to ingest untrusted data (PDFs) and have the agent interpret that data to generate code (HTML). This creates a significant injection surface.
- Ingestion points: The agent reads slide screenshots (
slide-NN.jpg) generated from user-provided PDF files. - Boundary markers: No delimiters or explicit instructions are provided to help the agent distinguish between slide content and potential malicious instructions embedded in the slides.
- Capability inventory: The skill allows the agent to execute a Python script (
pdf_to_images.py) and write multiple HTML files to the local filesystem. - Sanitization: There is no sanitization of the text extracted from the images. The instructions explicitly tell the agent to 'Match text content exactly,' which is exactly how an injection would be triggered.
- [Unverifiable Dependencies] (LOW): The skill requires the installation of
popplervia Homebrew. Whilepoppleris a trusted utility, the skill relies on the user's environment having the correct binary available, and the Python script executes this binary viasubprocess.run. - [Command Execution] (LOW): The script
pdf_to_images.pyusessubprocess.runto callpdftoppm. It correctly uses a list for arguments rather than a shell string, which mitigates direct shell injection risks.
Recommendations
- AI detected serious security threats
Audit Metadata