Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest data from external, potentially malicious PDF files, which is a primary vector for indirect prompt injection.
- Ingestion points: The skill reads data using
PdfReader,pdfplumber, andpytesseractinSKILL.md. - Boundary markers: Absent. The skill provides no instructions to the agent to ignore or delimit instructions found within the processed PDFs.
- Capability inventory: The skill possesses capabilities to write files (
writer.write,c.save,to_excel) and execute system commands via CLI tools (qpdf,pdftk). - Sanitization: There is no evidence of sanitization or filtering of the extracted text or metadata before it is processed or used to drive agent actions.
- [Command Execution] (MEDIUM): The skill documentation includes and encourages the use of system-level command-line tools like
qpdf,pdftotext, andpdftk. If an agent invokes these tools using arguments derived directly from untrusted PDF metadata (e.g., a maliciously crafted 'Title' field), it could lead to command injection if the underlying shell is not handled securely.
Recommendations
- AI detected serious security threats
Audit Metadata