pdf-ocr-skill
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/pdf_ocr_processor.pycontains a functioninstall_dependencythat utilizessubprocess.check_callto executepip installcommands. This allows the skill to run system-level commands to modify the local Python environment. - [REMOTE_CODE_EXECUTION]: The skill implements a dynamic dependency management system that downloads and installs Python packages (
rapidocr_onnxruntime,pymupdf,pillow) from PyPI at runtime if they are not already present. Installing and importing external code during execution is a significant security risk. - [EXTERNAL_DOWNLOADS]: The skill is designed to fetch and install external packages from the Python Package Index (PyPI) during runtime to enable specific OCR functionalities.
- [DATA_EXFILTRATION]: The
SiliconFlowOCREngineclass transmits image data to an external endpoint (https://api.siliconflow.cn/v1/chat/completions) for text recognition. While this is a documented feature, it results in the transmission of document content to a third-party service. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted documents and returns the extracted content to the agent.
- Ingestion points: Document and image files processed in
scripts/pdf_ocr_processor.pyviaocr_pdfandocr_image_file. - Boundary markers: The extracted text is returned as a raw string without any delimiters or 'ignore' instructions to prevent the agent from following commands embedded in the documents.
- Capability inventory: The skill can execute shell commands (via pip installation) and perform network operations (API requests).
- Sanitization: There is no evidence of text sanitization or filtering applied to the OCR output before it is returned to the agent context.
Audit Metadata