distill
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted documents and passes their content to sub-agents. \n
- Ingestion points: Document files (PDF, DOCX, XLSX, etc.) processed via the
/distillcommand. \n - Boundary markers: Lacks robust markers or instructions to ignore embedded commands within the document content passed to the PDF Structurer and Digest agents. \n
- Capability inventory: Access to shell tools, file system write permissions, and sub-agent dispatch. \n
- Sanitization: No sanitization is performed on the extracted text before it is used in sub-agent prompts. \n- [COMMAND_EXECUTION]: The orchestrator executes multiple shell commands (
pandoc,pdftotext,unzip,pdfdetach,file,iconv,pdfinfo) using user-provided file paths. While the skill mandates quoted shell variables as a safety measure, this pattern still presents a potential attack surface for command injection if specific shell environments or tools handle malformed filenames unexpectedly. \n- [EXTERNAL_DOWNLOADS]: The skill automatically creates a Python virtual environment and installs third-party libraries (python-pptx,openpyxl) from public registries at runtime. This introduces a supply chain dependency risk, although the packages used are well-known and specific versions are requested.
Audit Metadata