Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection due to the ingestion of untrusted external content and its available capabilities.
- Ingestion points: Untrusted PDF data is loaded into the agent context via pypdf.PdfReader, pdfplumber.open, and pdf2image.convert_from_path in SKILL.md.
- Boundary markers: There are no boundary markers or instructions to treat extracted text as untrusted data.
- Capability inventory: The skill allows writing to the file system (open with 'wb', writer.write) and executing various system binaries (qpdf, pdftk, pdftotext, pdfimages) in SKILL.md.
- Sanitization: No sanitization, filtering, or validation is performed on the data extracted from PDF files.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation recommends the installation of several external dependencies and system-level utilities (pytesseract, pdf2image, poppler-utils) that are not from a verified or trusted source list.
- COMMAND_EXECUTION (LOW): The skill explicitly uses multiple command-line tools for processing, which is standard for its purpose but increases the attack surface when handling untrusted inputs.
Recommendations
- AI detected serious security threats
Audit Metadata