Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary purpose is to ingest and process external content from PDF files, creating a significant attack surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the agent context via
pypdf.PdfReader.extract_text(),pdfplumber.open().pages.extract_text(), and OCR viapytesseract.image_to_string()(SKILL.md). - Boundary markers: None. There are no delimiters or instructions provided to the agent to treat extracted text as untrusted data.
- Capability inventory: The skill possesses significant side-effect capabilities, including writing to the filesystem (
PdfWriter.write,combined_df.to_excel,canvas.save) and executing shell commands via the documented CLI tools. - Sanitization: No sanitization or filtering of extracted content is implemented in the provided examples.
- [External Downloads] (MEDIUM): The skill depends on numerous third-party Python packages and system utilities that are not part of a standard environment.
- Evidence: Requires
pypdf,pdfplumber,reportlab,pandas,pytesseract,pdf2image, and system tools likepoppler-utils,qpdf, andpdftk. - [Command Execution] (MEDIUM): The skill documents and encourages the use of various command-line utilities to manipulate files on the host system.
- Evidence: Shell snippets for
pdftotext,qpdf,pdftk, andpdfimagesare provided for file modification and extraction tasks.
Recommendations
- AI detected serious security threats
Audit Metadata