book-reader
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and displays content from external book files (PDF, EPUB, MOBI, TXT) that could contain malicious instructions.
- Ingestion points: The
book.pyscript extracts content from user-provided files using libraries likePyMuPDF,ebooklib, andmobi. - Boundary markers: The script uses simple text headers (e.g.,
=== Page N ===) and delimiters (---), but does not include explicit warnings to the AI agent to ignore instructions embedded within the book text. - Capability inventory: The skill possesses file system read access for books and write access for its local JSON cache at
~/.cache/book-reader/. It does not perform network operations or execute arbitrary shell commands. - Sanitization: No content sanitization or instruction filtering is performed on the extracted text before it is presented to the agent.
Audit Metadata