search
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted data from external documents.\n
- Ingestion points: The skill ingests user-provided PDF, DOCX, PPTX, and XLSX files which are converted to text using the Docling library, as described in opensearch-launchpad/SKILL.md and opensearch-launchpad/document_processing_guide.md.\n
- Boundary markers: Instructions do not specify the use of delimiters or 'ignore' directives to separate the ingested document content from the agent's internal logic.\n
- Capability inventory: The skill can execute shell commands (via bash and uv), write to the filesystem (indexing), and perform network operations to OpenSearch and AWS Bedrock APIs.\n
- Sanitization: There is no mention of text sanitization or validation for the content extracted from processed documents before it is used in indexing or evaluation.\n- [EXTERNAL_DOWNLOADS]: The skill downloads and installs several external dependencies and tools from public registries.\n
- Installs the docling Python library from IBM Research for document conversion.\n
- Fetches and runs MCP servers including duckduckgo-mcp-server and the vendor's own opensearch-mcp-server-py using the uvx tool runner.\n- [COMMAND_EXECUTION]: The skill workflow involves executing various scripts and dynamic code snippets.\n
- Runs local bash and Python scripts (scripts/start_opensearch.sh and scripts/opensearch_ops.py) to manage the OpenSearch infrastructure.\n
- Executes inline Python code snippets via uv run python -c in opensearch-launchpad/evaluation_guide.md to calculate search quality metrics.
Audit Metadata