pdf-tools
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Unsanitized shell variable interpolation in Python here-documents. Multiple scripts, including
pdf-info.sh,pdf-merge.sh,pdf-split.sh, andpdf-text.sh, are vulnerable. Variables such as$PDF,$OUT, and$PAGESare inserted directly into Python string literals within the script blocks. An attacker providing an input like"; import os; os.system('id'); #would break out of the Python string context and execute arbitrary system commands. - [REMOTE_CODE_EXECUTION]: Risk of exploitation via indirect inputs. Because the agent may be tasked with processing files from untrusted sources (e.g., internet downloads), a file with a maliciously crafted name can trigger the aforementioned command injection vulnerability, leading to unauthorized code execution on the agent's host.
- [PROMPT_INJECTION]: Indirect prompt injection surface via PDF metadata. The
pdf-info.shscript extracts metadata fields like/Title,/Author, and/Subjectand prints them directly to the console. If these fields contain hidden instructions, the agent may interpret the extracted data as a prompt, potentially bypassing its own safety guidelines. There is no evidence of sanitization or escaping of this external content before it is returned to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata