Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (IPI). It ingests untrusted PDF data which is subsequently used to influence agent decisions during form-filling and extraction tasks. A malicious PDF could embed instructions to manipulate the agent's logic or output.
- Ingestion points:
scripts/extract_form_field_info.pyandscripts/convert_pdf_to_images.py. - Boundary markers: Lacks semantic delimiters for extracted untrusted content.
- Capability inventory: File system modification via
pypdf,pdfplumber, andreportlab. - Sanitization: Only spatial bounding box validation is present (
scripts/check_bounding_boxes.py); no content-based sanitization or instruction-ignoring markers are applied. - COMMAND_EXECUTION (MEDIUM): The script
scripts/fill_fillable_fields.pyutilizes runtime monkeypatching on thepypdf.generic.DictionaryObjectclass to work around a selection list bug. This dynamic modification of library behavior at runtime is a risk-sensitive execution pattern.
Recommendations
- AI detected serious security threats
Audit Metadata