Boof

The 'boof' skill bundle provides legitimate PDF-to-Markdown conversion and RAG indexing using local tools like opendataloader-pdf and qmd. However, the script 'scripts/boof.sh' contains a code injection vulnerability where the '$INPUT_FILE' shell variable is interpolated directly into a Python script within a heredoc. This could allow arbitrary Python code execution if the agent is tasked with processing a file with a specially crafted filename (e.g., containing quotes and Python commands). While the tool's behavior aligns with its stated purpose and no intentional malice was found, this high-risk implementation flaw warrants a suspicious classification.