super-extract

Pass

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in the extraction workflow. Ingestion points: Untrusted source text is extracted from PDF/DOCX documents or user-provided remote URLs. Boundary markers: The instructions in SKILL.md direct the agent to use a shell heredoc with a fixed delimiter ('ENDJSON') to write source text to a temporary file; a malicious document containing this delimiter on a new line could terminate the command and inject arbitrary shell instructions. Capability inventory: The workflow requires the agent to execute shell commands (cat, python3) and perform file system writes in the /tmp directory. Sanitization: No sanitization or character escaping is specified for the document content before it is interpolated into shell commands.
  • [COMMAND_EXECUTION]: The skill relies on local shell command execution to perform data alignment and generate visualizations. These capabilities are used to process data ingested from untrusted sources without adequate sanitization, facilitating the potential for instruction injection as noted above.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 16, 2026, 05:39 PM
Security Audit — agent-trust-hub — super-extract