nano-pdf
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's documentation suggests installing 'uv' using a shell script from 'astral.sh'. Astral is the well-known organization behind the popular 'uv' and 'ruff' Python tools. This is a standard installation method for a trusted developer tool.
- [EXTERNAL_DOWNLOADS]: The skill installs the 'nano-pdf' package from PyPI. PyPI is the official and trusted registry for Python packages.
- [COMMAND_EXECUTION]: The Python script 'scripts/edit_pdf.py' uses 'subprocess.run' to execute the 'nano-pdf' CLI. This is the intended primary purpose of the skill to facilitate PDF modifications. The script implements basic input validation by checking for file existence and using argument parsing.
- [PROMPT_INJECTION]: The skill processes natural language instructions to edit PDFs. While these instructions are passed to an underlying LLM via the 'nano-pdf' tool (requiring an OPENAI_API_KEY), the risk of indirect prompt injection is mitigated by the fact that the instructions are intended to describe visual/textual edits to a document rather than controlling the agent's system behavior.
Audit Metadata