pdf-reader
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (LOW): The skill extracts text from external PDFs and feeds it to the agent without providing clear boundaries or sanitization.
- Ingestion points: Data is ingested via the
convert_to_markdowntool (from URIs) and theextract_textPython utility (from local paths) as described inSKILL.md. - Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent to ignore instructions found within the PDF text.
- Capability inventory: The agent can write to notes (
save_to_notes) and manipulate local files, providing a potential path for injected instructions to affect the user's system. - Sanitization: Absent. No filtering or sanitization of the extracted PDF text is performed before it is processed by the AI.
- External Downloads (LOW): The
convert_to_markdowntool (attributed tomicrosoft-mar) acceptshttp://andhttps://URIs to download and process remote PDF files. While from a trusted source, downloading arbitrary content poses a minor risk of data exposure or processing unexpected inputs.
Audit Metadata