Skills
skills/steffen025/pai-opencode/Documents/Gen Agent Trust Hub

Documents

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill frequently executes shell commands and local scripts to automate document processing tasks.
  • A mandatory curl command to localhost:8888 is required upon every invocation to send voice notifications.
  • Automation scripts like recalc.py, thumbnail.py, and pack.py invoke system utilities such as soffice (LibreOffice), pandoc, qpdf, and pdftoppm via subprocess calls.
  • The recalc.py script programmatically installs a persistent Basic macro in the user's local LibreOffice configuration directory to enable automated formula recalculation.
  • [PROMPT_INJECTION]: The skill includes directives that attempt to mandate specific agent behaviors and bypass default reading constraints.
  • Multiple files contain "MANDATORY" instructions requiring the agent to perform specific notification actions before proceeding with any user request.
  • Instructions like "NEVER set any range limits when reading this file" for library documentation are intended to override the agent's standard file reading protocols.
  • [EXTERNAL_DOWNLOADS]: The skill requires and suggests the installation of numerous external system packages and software libraries.
  • Documentation identifies various requirements including libreoffice, pandoc, poppler-utils, and several NPM and PyPI packages.
  • The skill suggests environment setup via sudo apt-get install, npm install -g, and pip install commands.
  • A dedicated workflow utilizes the llm CLI tool, which downloads and uses a plugin to interact with the Google Gemini AI model.
  • [DATA_EXFILTRATION]: One workflow involves sending document content to an external AI service for processing.
  • The ProcessLargePdfGemini3 workflow attaches local PDF files to requests sent to the Gemini AI model for multimodal analysis. While this targets a well-known service, it involves transmitting potentially sensitive document data to a remote API.
  • [INDIRECT_PROMPT_INJECTION]: The skill's primary function of processing external documents introduces a surface for indirect prompt injection.
  • Ingestion points: The skill processes user-provided Office documents (DOCX, PPTX, XLSX) and PDF files.
  • Boundary markers: No explicit markers or delimiters are used to separate document content from agent instructions during processing.
  • Capability inventory: The agent possesses file system access, shell command execution capabilities, and the ability to make local network requests.
  • Sanitization: The skill uses defusedxml for secure XML parsing to prevent XXE attacks, but does not implement sanitization for natural language instructions found within the documents themselves.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 07:39 AM