Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted data from external PDF files using libraries like
pypdf,pdfplumber, andpytesseract. - Ingestion points: Multiple points in
SKILL.mdwhere PDFs are opened (e.g.,PdfReader("document.pdf"),pdfplumber.open("document.pdf"),convert_from_path('scanned.pdf')). - Boundary markers: Absent. The code snippets do not implement delimiters or instructions to the agent to ignore embedded commands.
- Capability inventory: The skill includes functions for file system modification (
writer.write(output)) and provides a reference for shell command execution (qpdf,pdftk,pdftotext). - Sanitization: Absent. Extracted text and metadata are used directly without sanitization.
- [Command Execution] (MEDIUM): The documentation explicitly includes instructions for using system binaries (
pdftotext,qpdf,pdftk,pdfimages) via the command line. While legitimate for the stated purpose, this provides an execution surface that could be exploited if the agent follows instructions found within a malicious PDF.
Recommendations
- AI detected serious security threats
Audit Metadata