PDF Processing Pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process external untrusted data (PDFs and JSON). Ingestion points: input.pdf, data.json, and report.pdf via scripts like extract_text.py and analyze_form.py. Boundary markers: Absent; there are no instructions for the agent to ignore instructions embedded within the extracted text. Capability inventory: Subprocess execution (subprocess.run) and file-write access across the scripts. Sanitization: Absent; the skill lacks mechanisms to escape or filter instructions extracted from document bodies.
- [Command Execution] (MEDIUM): The documentation encourages the use of subprocess.run and chmod +x on local scripts. This configuration creates a risk of local command injection if the agent interpolates unsanitized user-provided filenames into these shell commands.
- [Unverifiable Dependencies] (MEDIUM): Core functionality resides in scripts/*.py which are referenced but not included in the analysis scope, making the actual logic and safety of the tools unverifiable.
Recommendations
- AI detected serious security threats
Audit Metadata