knowledge-compiler

Pass

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill leverages the uv tool to dynamically manage and download Python dependencies required for its operation, such as docling, pdfminer.six, and PyPDF2. These are well-established libraries for document extraction and are retrieved from standard package registries.
  • [COMMAND_EXECUTION]: The skill executes external CLI tools including pdftotext, pdfinfo, and uv through the subprocess.run interface. The scripts correctly pass command-line arguments as an array of strings, which effectively mitigates the risk of command injection compared to using raw shell strings.
  • [PROMPT_INJECTION]: As a tool designed to process and analyze third-party documents, the skill is susceptible to indirect prompt injection attacks. Malicious instructions embedded in a user-provided PDF or EPUB file could attempt to hijack the agent's logic during the knowledge compilation phase.
  • Ingestion points: Document text is extracted and stored in local files such as cache/jobs/<job-id>/source.txt before being analyzed by the agent in segments.
  • Boundary markers: The skill does not currently implement explicit boundary markers (e.g., unique XML tags) or specific 'ignore' directives to separate the extracted content from the agent's instructions.
  • Capability inventory: The skill has the capability to read and write files in the local filesystem and execute subprocesses for text extraction tasks.
  • Sanitization: There is no automated sanitization or filtering logic applied to the extracted text to detect or remove potential injection patterns before processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 17, 2026, 06:49 AM
Security Audit — agent-trust-hub — knowledge-compiler