summary
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's setup script in Step 1a assigns user-provided input (
<user-input>) directly to a bash variable. If the substitution mechanism does not properly escape shell metacharacters, this could allow for command injection (e.g., via backticks or subshells) when the variable is processed. - [EXTERNAL_DOWNLOADS]: The skill performs automated installation of dependencies using
npm installandpip install pymupdf. Whilepymupdfis a widely recognized library, thenpm installstep relies on a localpackage.jsonwhose contents are not fully defined within this file. - [REMOTE_CODE_EXECUTION]: The skill is designed to download content from arbitrary URLs provided by the user and process that content through local scripts (
download-pdf.cjsandparse-pdf.js). This involves the execution of logic on untrusted external data. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes content from external research papers without clear sanitization or boundary markers.
- Ingestion points: Untrusted data enters the context via the
USER_INPUT(URL or file path) and the subsequent extraction of text from the PDF file. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when presenting extracted text to the model for summarization.
- Capability inventory: The skill is granted
Bash,Write, andReadtools, allowing it to modify the file system and execute shell commands. - Sanitization: There is no evidence of content filtering or sanitization applied to the parsed PDF text before it is used for summary generation.
Audit Metadata