mineru-ocr
Warn
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script contains logic to read sensitive credentials from outside the skill's directory. Specifically, the
readOfficialCliTokenfunction inscripts/convert.jsattempts to read and parse~/.mineru/config.yamlto retrieve an API token if one is not provided in the skill's environment configuration. - [COMMAND_EXECUTION]: The
scripts/convert.jsscript makes extensive use of the$.systemfunction to execute shell commands (includingcurl,cp,mv,unzip,find,stat, andmdls). While it attempts to use ashellQuotefunction to sanitize inputs, the large surface area of shell interaction increases the risk of command injection if sanitization is bypassed. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch data from untrusted sources. In
scripts/convert.js, thedownloadRemoteImagesfunction usescurlto download images from any URL found within the OCR-generated Markdown. This could be used for server-side request forgery (SSRF) or to download malicious assets. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from local files and remote URLs, processes them into Markdown, and returns the result to the agent.
- Ingestion points:
scripts/convert.jsreads local files and remote document/HTML URLs. - Boundary markers: The script does not wrap the converted content in protective delimiters or provide instructions to the agent to ignore embedded commands.
- Capability inventory: The skill has access to file system operations (read/write/delete) and network operations via shell commands in
scripts/convert.js. - Sanitization: There is no sanitization of the document content before it is passed back to the agent, allowing a malicious document to potentially hijack the agent's instructions.
Audit Metadata