pandoc
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to ingest and process external untrusted data (Markdown, HTML, DOCX). This creates a high-risk surface where an attacker can embed malicious instructions or malicious code (e.g., within LaTeX macros or Lua filters) inside a document provided to the agent for conversion.
- [Command Execution] (MEDIUM): The documentation explicitly promotes the use of powerful system commands and package managers (e.g.,
sudo apt-get,pandoc). While these are standard tools, the skill lacks explicit boundary markers or sanitization guidance for handling inputs to these commands, which could lead to arbitrary command execution if an agent interpolates untrusted file names or content into these shell commands. - [Dynamic Execution] (MEDIUM): Pandoc supports Lua filters and custom templates which are executed at runtime during the conversion process. If the agent processes a document that references a malicious local or remote filter, it could result in unauthorized code execution.
Recommendations
- AI detected serious security threats
Audit Metadata