oma-pdf
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The error recovery section in
resources/execution-protocol.mdinstructs the agent to suggest a piped remote execution command (curl -LsSf https://astral.sh/uv/install.sh | sh) to the user for tool installation. While this is an official installation method for theuvtool, the pattern itself involves executing remote scripts directly in the shell. - [EXTERNAL_DOWNLOADS]: The skill relies on
uvxto dynamically download and execute packages from the Python Package Index (PyPI), includingopendataloader-pdf,opendataloader-pdf-hybrid, andmdformat. These are external dependencies fetched at runtime. - [COMMAND_EXECUTION]: The skill performs multiple shell operations to fulfill its purpose, including file metadata inspection (
wc,ls,pdfinfo) and the execution of conversion utilities viauvx. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection because it processes untrusted external data.
- Ingestion points: Untrusted PDF content is read from user-provided paths (
input_path) as described inSKILL.mdandresources/execution-protocol.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used during the extraction or formatting phases.
- Capability inventory: The skill has the ability to execute subprocesses via
uvxand perform file system read/write operations. - Sanitization: There is no evidence of sanitization, filtering, or escaping of the content extracted from the PDF before it is presented to the agent or saved as Markdown.
Audit Metadata