Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection surface (Category 8) because it processes untrusted external PDF documents and has side-effect capabilities.
- Ingestion points: Untrusted data enters the context via PDF files read by pypdf, pdfplumber, and pytesseract.
- Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the PDF content.
- Capability inventory: The skill possesses extensive capabilities including filesystem writes (PdfWriter), external command execution (qpdf, pdftk, poppler-utils), and complex data transformation.
- Sanitization: No sanitization or validation of the extracted PDF content is performed before it is used to drive agent reasoning or form-filling logic.
- COMMAND_EXECUTION (MEDIUM): The skill utilizes dynamic code execution techniques (Category 10).
- Evidence: The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary, overwritingDictionaryObject.get_inheritedwith a custom implementation. - COMMAND_EXECUTION (LOW): The skill documentation explicitly provides examples for executing various system-level PDF utilities.
- Evidence:
SKILL.mdcontains shell snippets forqpdf,pdftotext, andpdftkto perform document modifications.
Recommendations
- AI detected serious security threats
Audit Metadata