The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill extracts text from untrusted external files (PDFs) and processes it within the agent context. If a PDF contains malicious instructions, the agent may obey them because the skill lacks boundary markers or sanitization logic.
Ingestion points: Text extraction occurs in SKILL.md using pdftotext and the PyMuPDF (fitz) library's get_text() method.
Boundary markers: Absent. The extracted content is treated as standard data without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill utilizes shell commands (pdftotext, pandoc, wkhtmltopdf) and file system write operations (result.save(), single.save()).
Sanitization: Absent. There is no evidence of filtering or escaping extracted text before it is returned to the agent.
[Command Execution] (MEDIUM): The skill frequently invokes shell processes (bash blocks) to run system utilities like pdftotext, pandoc, and wkhtmltopdf. While these are standard tools, executing them with potentially attacker-controlled filenames (e.g., input.pdf) without strict shell escaping could lead to command injection if filenames are not properly validated.

pdf