pdf-tools
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted PDF content. \n
- Ingestion points: PDF document text and images are extracted and passed to LLMs in
references/ai-extraction-patterns.mdandreferences/batch-and-accessibility.md. \n - Boundary markers: No delimiters or boundary markers are used when interpolating extracted text into prompts (e.g.,
Extract structured data from this PDF text: ${text}). \n - Capability inventory: The skill has the ability to write files to the local file system (
fs.writeFile) and execute various command-line utilities. \n - Sanitization: There is no evidence of sanitization or validation of the extracted PDF content before it is processed by the AI models. \n- [COMMAND_EXECUTION]: The skill relies on several external CLI tools and scripts to perform PDF operations. \n
- CLI Utilities: Uses
qpdf,ghostscript,pdftotext,exiftool, andverapdffor tasks such as repair, encryption, and metadata removal. \n - External Scripts: References a collection of Python scripts in a
scripts/directory (e.g.,check_fillable_fields,extract_form_field_info.py) that are not present in the provided skill files.
Audit Metadata