pdf-ocr-skill
Warn
Audited by Gen Agent Trust Hub on Jun 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/pdf_ocr_processor.pyusessubprocess.check_callto execute shell commands for package installation. While the package names are hardcoded, this allows the skill to modify the system's Python environment at runtime. - [EXTERNAL_DOWNLOADS]: The skill is designed to dynamically download and install Python packages (such as
rapidocr_onnxruntime,paddleocr, andrapid-doc) from the public PyPI registry if they are not detected on the system during execution. - [DATA_EXFILTRATION]: When using the SiliconFlow OCR engine, the skill transmits document image data to an external cloud service (
api.siliconflow.cn). This is the intended functionality for cloud-based recognition but involves sending potentially sensitive file content to a third-party API. - [PROMPT_INJECTION]: The skill ingests untrusted text data extracted from PDFs and images. Because this data is returned to the agent's context without sanitization or boundary delimiters, it creates a risk of indirect prompt injection where instructions embedded in a scanned document could hijack the agent's behavior.
- Ingestion points:
scripts/pdf_ocr_processor.py(viaocr_pdfandocr_image_filemethods) reads content from PDF and image files provided to the agent. - Boundary markers: The
SiliconFlowOCREngineuses a prompt to request text output, but the resulting content is merged into the agent's context without specific "ignore instructions" delimiters. - Capability inventory: The script performs file reads, network POST requests, and subprocess shell execution.
- Sanitization: While the
RapidDocEngineperforms basic regex cleaning to remove markdown formatting, no generic sanitization is applied to the raw text output across all engines.
Audit Metadata