mineru
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the
mineru-open-apitool from the NPM registry and the official GitHub repository of the OpenDataLab organization. - [COMMAND_EXECUTION]: The skill requires the execution of shell commands for installation (
npm install,go install) and for processing documents using themineru-open-apibinary. - [COMMAND_EXECUTION]: The instructions for generating unique output directories involve interpolating the full, unsanitized source URL or file path into a shell command (
echo -n "..." | md5sum). This creates a command injection risk if the agent does not apply strict shell escaping to user-supplied inputs before execution, as the skill explicitly advises using the path before sanitization. - [PROMPT_INJECTION]: As a document parser, the skill processes untrusted external data from PDFs, images, and web pages. This data could contain malicious instructions (Indirect Prompt Injection) that might influence the agent's logic once the text is extracted and included in the session context.
- Ingestion points: Document files (PDF, DOCX, images) and URLs processed via the
extract,flash-extract, andcrawlcommands inSKILL.md. - Boundary markers: No specific delimiters or safety instructions are provided to the agent to separate extracted content from its own control logic.
- Capability inventory: The agent can execute the CLI tool, write to the local filesystem, and perform network requests via the tool's built-in functions.
- Sanitization: While directory names are partially sanitized, the input to the hash generation command is explicitly used without sanitization, increasing the risk of instruction or command interference.
Audit Metadata