Skills
skills/nomadamas/k-skill/hwp/Gen Agent Trust Hub

hwp

Pass

Audited by Gen Agent Trust Hub on Apr 24, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the kordoc and pdfjs-dist packages from the NPM registry. pdfjs-dist is an official package maintained by a well-known organization, while kordoc is the primary tool identified for this skill's functionality.
  • [COMMAND_EXECUTION]: Uses npx to execute remote packages and node to run inline JavaScript modules. These commands are used to process local document files, extract form fields, and perform format conversions.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted document data and provides the output to the AI context.
  • Ingestion points: Accesses and parses .hwp, .hwpx, and .hwpml files provided as user input (SKILL.md).
  • Boundary markers: No specific delimiters or instructions to ignore instructions embedded within the document content are provided in the workflow.
  • Capability inventory: The skill environment allows shell command execution and local file system read/write operations (SKILL.md).
  • Sanitization: There is no evidence of sanitization, filtering, or validation performed on the document content before it is passed to the AI as Markdown or JSON.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 24, 2026, 09:27 AM