Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of processing external data.
- Ingestion points: Untrusted content enters the system via PDF files read through
pypdf,pdfplumber, andpytesseractas shown in SKILL.md. - Boundary markers: No delimiters or isolation techniques are used to separate extracted PDF text from the agent's instructions.
- Capability inventory: The skill provides tools for writing files (
writer.write,to_excel,c.save) and executing shell commands (qpdf,pdftotext,pdftk), which can be triggered by injected instructions. - Sanitization: There is no evidence of text sanitization or instruction-stripping from the PDF content.
- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly instructs the agent to use shell-based tools like
qpdfandpdftk. While these are functional requirements, they expand the attack surface when processing data that may contain malicious escape sequences or injection payloads.
Recommendations
- AI detected serious security threats
Audit Metadata