OCR Image to Markdown
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection because it directs the agent to 'read' and 'transcribe' content from untrusted images. An attacker can embed malicious instructions in an image that the agent may interpret as commands. Given the skill's file-writing capability, this could lead to the creation of malicious files or data corruption. 1. Ingestion points: User-provided images processed via view_file tool. 2. Boundary markers: None; the instructions do not tell the agent to ignore commands within images. 3. Capability inventory: Includes list_dir and write_to_file for filesystem access. 4. Sanitization: None; transcribed text is written directly to files.
- [COMMAND_EXECUTION] (LOW): The skill utilizes filesystem tools (list_dir, view_file, write_to_file) to perform its function. While these tools are used for their intended purpose, they provide the necessary primitives for an attacker to achieve impact following a successful prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata