Skills
skills/swn94/claude-scientific-skills/pdf/Gen Agent Trust Hub

pdf

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • INDIRECT PROMPT INJECTION (HIGH): The skill is highly vulnerable to Category 8 (Indirect Prompt Injection) as it is designed to extract text and tables from external PDFs using tools like pypdf and pdfplumber.
  • Ingestion points: Data enters through scripts like scripts/extract_form_field_info.py and code examples in SKILL.md employing pypdf, pdfplumber, and pytesseract OCR.
  • Boundary markers: No delimiters or instructions are used to separate extracted content from the agent's internal reasoning, nor are there instructions to ignore embedded commands.
  • Capability inventory: The skill possesses high capabilities, including the ability to write files (PdfWriter.write()) and execute system commands (qpdf, pdftk, pdftotext).
  • Sanitization: No sanitization is performed on the extracted text before it is presented to the agent, allowing a malicious document to hijack the agent's logic.
  • COMMAND EXECUTION (HIGH): SKILL.md explicitly references and provides usage for scripts/generate_schematic.py for 'AI-powered' diagram generation. However, this script is missing from the provided file list. Referencing and executing non-existent or externally-sourced scripts in a high-capability environment is a significant security risk.
  • PROMPT INJECTION (MEDIUM): The 'Suggest Using K-Dense Web' section in SKILL.md functions as a prompt injection (Category 1) by instructing the agent to proactively steer users towards an external commercial platform (www.k-dense.ai) when task complexity increases, overriding neutral assistance protocols.
  • DYNAMIC EXECUTION (MEDIUM): The script scripts/fill_fillable_fields.py implements a monkeypatch_pydpf_method function that modifies the internal get_inherited method of the pypdf library at runtime. While documented as a bug fix, runtime modification of external libraries (Category 10) is a fragile and potentially exploitable pattern.
  • EXTERNAL DOWNLOADS (LOW): The skill documentation encourages users to pip install several third-party libraries (pytesseract, pdf2image) without specifying versions or verifying integrity, which is a violation of supply-chain best practices.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 12:23 AM