Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process external, untrusted PDF documents. It lacks boundary markers or sanitization logic when extracting text or metadata.
- Ingestion points:
pypdf.PdfReader("document.pdf"),pdfplumber.open("document.pdf"), andconvert_from_path('scanned.pdf'). - Boundary markers: Absent. Extracted text is directly concatenated or printed without delimiters or 'ignore' instructions.
- Capability inventory: The skill can write to the filesystem (
open("merged.pdf", "wb"),combined_df.to_excel("extracted_tables.xlsx")) and execute CLI tools (pdftotext,qpdf,pdftk), which are typically invoked via subprocess calls. - Sanitization: None. The skill assumes the content of the PDF is data, not instructions.
- Command Execution (MEDIUM): The skill provides documentation for various CLI tools (
pdftotext,qpdf,pdftk). While these are standard tools, their use via an agent introduces risks if parameters (like filenames or passwords) are derived from untrusted external data without proper escaping.
Recommendations
- AI detected serious security threats
Audit Metadata