Skills
skills/aizenvoltprime/claude-compass/pdf/Gen Agent Trust Hub

pdf

Pass

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The forms.md file contains meta-instructions using strong imperative language such as 'CRITICAL: You MUST complete these steps in order' and 'Follow the below steps exactly'. While intended as a task-specific guardrail to ensure correct form filling, these instructions attempt to override standard agent behavior by prohibiting the agent from 'skipping ahead' or writing code independently.\n- [COMMAND_EXECUTION]: The skill relies extensively on executing local Python scripts and system CLI tools (e.g., qpdf, pdftotext, pdfimages) to perform its functions. These operations use file paths that may be provided by user input, representing a standard command execution surface for a utility toolkit.\n- [DYNAMIC_EXECUTION]: The script scripts/fill_fillable_fields.py implements a runtime monkeypatch of the pypdf library. It redefines the DictionaryObject.get_inherited method at runtime to resolve a known bug in pypdf version 5.7.0. While functional for the skill's primary purpose, runtime modification of third-party library classes is a form of self-modifying code.\n- [EXTERNAL_DOWNLOADS]: The documentation in SKILL.md and reference.md suggests the installation of several external packages from standard registries (PyPI and NPM) including pypdf, pdfplumber, and pdf-lib. These are well-known libraries and do not escalate the verdict severity.\n- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted PDF files to extract text, metadata, and form fields. This creates an indirect prompt injection surface where a malicious PDF could contain hidden instructions designed to influence the agent's behavior during the analysis phase.\n
  • Ingestion points: Data enters the context via pypdf.PdfReader and pdfplumber.open in SKILL.md and associated scripts.\n
  • Boundary markers: No explicit delimiters or instructions are used to separate untrusted PDF content from agent instructions in the provided scripts.\n
  • Capability inventory: The skill possesses the ability to read/write files and execute subprocesses (scripts/cli tools).\n
  • Sanitization: No sanitization or validation of extracted text content is performed before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 1, 2026, 06:34 PM