Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill frequently invokes a local shell script
/app/.kimi/skills/kimi-pdf/scripts/pdf.sh. This script is responsible for environment checks, dependency installation, and orchestration of multiple rendering engines. Executing scripts with administrative-like capabilities (the 'fix' subcommand for dependencies) poses a risk if the script is tampered with or contains vulnerabilities. - EXTERNAL_DOWNLOADS (MEDIUM): The
pdf.sh fixcommand is designed to automatically install missing dependencies. This indicates that the skill performs network-based downloads of executable packages at runtime. While the mentioned dependencies (Playwright, pikepdf, Tectonic) are common, the dynamic nature of these downloads can be intercepted or used to install malicious versions if the source is not strictly verified. - REMOTE_CODE_EXECUTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection due to its core functionality.
- Ingestion points: User-provided HTML strings and LaTeX source code are passed directly to rendering engines (identified in
SKILL.mdroute descriptions). - Boundary markers: No delimiters or "ignore embedded instructions" markers are specified for the input data.
- Capability inventory: The skill possesses extensive capabilities including shell script execution, Python-based file manipulation, and full HTML/LaTeX rendering.
- Sanitization: There is no evidence of sanitization or sandboxing. Maliciously crafted HTML can be exploited for Server-Side Request Forgery (SSRF) or local file access via Chromium, and LaTeX compilation can be used to leak sensitive environment data if not properly restricted.
Recommendations
- AI detected serious security threats
Audit Metadata