AgentReadyHomeAgent Listing

← pdf-to-html

pdf-to-html — agentic threat model

8.0AIVSS 8.0 · High

The agent presents a moderate-to-high risk profile primarily due to running Python extraction and writing HTML directly on the host system without sandboxing. The main attack vectors include malicious PDF parsing exploits (PyMuPDF) and prompt injection via the optional translation feature.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 7.8AARS uplift 0.22Factor sum 1.0/10Threat ×1.0Mitigation ×1.0
Autonomy of Action
0.20
Goal-Driven Planning
0.10
Self-Modification
0.00
Dynamic Tool Use
0.30
Persistent Memory
0.00
Contextual Awareness
0.10
Dynamic Identity
0.00
Multi-Agent Interactions
0.00
Non-Determinism
0.20
Opacity & Reflexivity
0.10

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Used for optional translation. Threat: Prompt injection via malicious PDF text could manipulate the translation output or attempt to hijack the LLM.

L2 · Data Operations✓ mapped

Reads PDF files and writes HTML files. Threat: Maliciously crafted PDFs (e.g., exploiting PyMuPDF parser vulnerabilities like buffer overflows or DoS) or data exfiltration if the translation service sends data to external LLM APIs.

L3 · Agent Frameworks✓ mapped

Orchestrates PyMuPDF and translation. Threat: Insecure tool integration where the output of PyMuPDF is fed directly into a translation prompt or written directly to the host filesystem without sanitization (path traversal).

L4 · Deployment & Infrastructure✓ mapped

Runs Python extraction and writes HTML on the host. Threat: Host compromise. Since it runs directly on the host without mentioned sandboxing, a compromise of the Python process leads directly to host file system access.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No logging, guardrails, or evaluation mechanisms are mentioned. Standard risks of blind spots regarding malicious inputs or failed translation steps apply.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — No authentication, authorization, or compliance controls are described. It runs locally as a community skill, likely inheriting the host user's permissions.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — This is a single-purpose skill with no explicit multi-agent or marketplace interactions described, though as a 'Community Agent Skill' it could be integrated into larger workflows, risking cascading failures if it outputs malicious HTML.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).