Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted external data from PDF files using libraries like pypdf and pdfplumber.
- Ingestion points: pypdf.PdfReader, pdfplumber.open, and convert_from_path in SKILL.md.
- Boundary markers: Absent; the guide does not suggest any delimiters or instructions to ignore embedded content within the PDFs.
- Capability inventory: The skill facilitates file writing (writer.write, to_excel) and provides instructions for executing powerful shell utilities (qpdf, pdftk, pdftotext).
- Sanitization: Absent; no input validation or sanitization is mentioned.
- [Command Execution] (MEDIUM): The skill provides documentation and examples for executing several command-line tools.
- Evidence: Multiple bash blocks in SKILL.md detailing usage of pdftotext, qpdf, pdftk, and pdfimages.
- Risk: If the agent executes these commands using unsanitized filenames or parameters derived from untrusted PDF metadata, it could lead to command injection or unauthorized file access.
Recommendations
- AI detected serious security threats
Audit Metadata