mineru-ocr
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The script
scripts/convert.jsreads the user's official MinerU CLI configuration at~/.mineru/config.yamlto extract the authentication token. Accessing sensitive files outside the skill's own directory is a data exposure risk, although in this instance, it is used for authenticating with the primary service the skill is designed to interact with. - [COMMAND_EXECUTION]: The skill makes extensive use of system shell commands via the
$.systeminterface in JXA, includingcurl,cp,unzip, andmdls. While the script employsshellQuoteto mitigate command injection, the frequent use of diverse shell utilities increases the overall attack surface. - [EXTERNAL_DOWNLOADS]: The skill downloads document conversion results and associated image assets from
mineru.netand other remote URLs usingcurl. This behavior is consistent with its stated purpose of document conversion and archiving. - [PROMPT_INJECTION]: The skill converts untrusted external content from remote URLs or local documents into Markdown. This data is intended for consumption by the AI agent, creating a surface for indirect prompt injection where instructions embedded in the processed documents could attempt to influence the agent's behavior.
- Ingestion points:
scripts/convert.jsprocesses local files and remote URLs viacurland the MinerU API. - Boundary markers: Absent. The skill does not wrap converted content in delimiters or include instructions to ignore embedded commands.
- Capability inventory: The skill can execute shell commands (
curl,mkdir,cp,unzip), write to the local filesystem (archive directory), and perform network operations. - Sanitization: Uses
shellQuotefor shell command arguments, but does not sanitize the document content (Markdown) before the agent reads it.
Audit Metadata