Skills
skills/robdmc/claude_skills/latex-pdf-compiler/Gen Agent Trust Hub

latex-pdf-compiler

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The skill invokes pdflatex to process user-provided or agent-generated LaTeX source. LaTeX distributions often allow shell escapes (using the \write18 command) which enables the execution of arbitrary system commands. Even without explicit shell escape flags, many LaTeX environments allow reading sensitive system files using \input or \read.
  • Evidence: SKILL.md specifies running pdflatex with the -interaction=nonstopmode flag, but does not explicitly enforce -no-shell-escape or other sandboxing constraints.
  • REMOTE_CODE_EXECUTION (HIGH): The skill relies on an external, unverifiable script scripts/compile_latex.py to perform the compilation logic. The content of this script is not included in the skill definition, making its security posture (such as input sanitization) impossible to verify.
  • Evidence: SKILL.md refers to scripts/compile_latex.py as the primary execution engine for compilation.
  • DYNAMIC_EXECUTION (MEDIUM): The skill performs runtime compilation of documents. While intended for LaTeX, the engine's capability to execute code or macros during the build process constitutes dynamic execution of potentially untrusted logic.
  • INDIRECT_PROMPT_INJECTION (LOW): The skill creates a significant attack surface for indirect prompt injection. An attacker could provide malicious LaTeX code (e.g., in a document the user asks the agent to 'fix' or 'compile') containing instructions designed to exfiltrate data or manipulate the agent's behavior during the compilation process.
  • Ingestion points: SKILL.md (Workflow section) indicates the agent extracts LaTeX from artifacts provided in the conversation.
  • Boundary markers: None specified in the instructions to the agent; no explicit 'ignore embedded instructions' warnings are provided when passing data to the compiler.
  • Capability inventory: Subprocess calls to pdflatex and execution of a local Python script.
  • Sanitization: No evidence of LaTeX-specific sanitization or filtering of dangerous commands (like \write18 or \input) is present in the skill description.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:24 PM