oma-pdf

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The error recovery section in resources/execution-protocol.md instructs the agent to suggest a piped remote execution command (curl -LsSf https://astral.sh/uv/install.sh | sh) to the user for tool installation. While this is an official installation method for the uv tool, the pattern itself involves executing remote scripts directly in the shell.
  • [EXTERNAL_DOWNLOADS]: The skill relies on uvx to dynamically download and execute packages from the Python Package Index (PyPI), including opendataloader-pdf, opendataloader-pdf-hybrid, and mdformat. These are external dependencies fetched at runtime.
  • [COMMAND_EXECUTION]: The skill performs multiple shell operations to fulfill its purpose, including file metadata inspection (wc, ls, pdfinfo) and the execution of conversion utilities via uvx.
  • [INDIRECT_PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection because it processes untrusted external data.
  • Ingestion points: Untrusted PDF content is read from user-provided paths (input_path) as described in SKILL.md and resources/execution-protocol.md.
  • Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used during the extraction or formatting phases.
  • Capability inventory: The skill has the ability to execute subprocesses via uvx and perform file system read/write operations.
  • Sanitization: There is no evidence of sanitization, filtering, or escaping of the content extracted from the PDF before it is presented to the agent or saved as Markdown.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:18 PM
Security Audit — agent-trust-hub — oma-pdf