Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill relies heavily on the
Bashtool to perform operations such as text extraction (pdftotext), image extraction (pdfimages), metadata retrieval (pdfinfo,exiftool), and PDF conversion (pandoc,wkhtmltopdf). Use of theBashtool provides a broad capability set that can be exploited if inputs are not properly handled. - [PRIVILEGE_ESCALATION]: The skill explicitly instructs the agent to use
sudo apt-get installto set up required system dependencies. This pattern requests root-level permissions on the host system to modify system-wide software configurations. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because its core function involves ingesting and processing untrusted data from external PDF files.
- Ingestion points: Data enters the agent's context through
pdftotext,pdfinfo,exiftool, andmutool show. These tools read content, metadata, and structural information from external PDF files. - Boundary markers: The skill lacks explicit boundary markers or instructions to the agent to treat the output of these extraction tools as untrusted data, increasing the risk of the agent obeying instructions hidden within a PDF's text or metadata.
- Capability inventory: The agent has access to
Bash,Read, andWritetools, providing high-impact capabilities that could be triggered by injected instructions (e.g., executing shell commands or overwriting local files). - Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is returned to the agent's context.
Audit Metadata