Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted PDF data and has file-writing capabilities, creating a surface for malicious content to influence agent behavior. No sanitization or boundary markers are present. Ingestion points: scripts/extract_form_field_info.py, scripts/check_fillable_fields.py, and extraction logic in SKILL.md. Boundary markers: Absent. Capability inventory: pypdf.PdfWriter.write() in scripts/fill_fillable_fields.py and scripts/fill_pdf_form_with_annotations.py; PIL.Image.save() in scripts/convert_pdf_to_images.py. Sanitization: Absent.
- Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py performs a monkeypatch on the pypdf library (DictionaryObject.get_inherited) at runtime to modify behavior.
- Prompt Injection (LOW): Documentation in forms.md uses forceful instructional language (CRITICAL: You MUST) which matches patterns common in prompt injection attacks to override agent behavior.
Recommendations
- AI detected serious security threats
Audit Metadata