The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill processes untrusted PDF documents, creating a surface for indirect prompt injection attacks.
Ingestion points: PDF data is ingested and parsed in multiple scripts including extract_form_field_info.py, check_fillable_fields.py, and convert_pdf_to_images.py using the pypdf and pdf2image libraries.
Boundary markers: The skill instructions do not provide explicit boundary markers or directions for the agent to ignore or isolate instructions potentially contained within the processed PDF content.
Capability inventory: The skill includes extensive capabilities for reading, writing, and annotating PDF files. The SKILL.md and forms.md files provide several command-line examples and Python scripts for the agent to execute.
Sanitization: There is no evidence of sanitization or filtering of extracted PDF text before it is presented to the agent's context.
[Dynamic Execution] (LOW): The script scripts/fill_fillable_fields.py performs dynamic logic modification on an external library.
Evidence: The function monkeypatch_pydpf_method overrides pypdf.generic.DictionaryObject.get_inherited at runtime. While this is implemented as a workaround for a specific bug in pypdf v5.7.0, dynamic patching is a security-relevant pattern. The severity is lowered as this behavior is directly associated with the skill's primary purpose of form filling.

pdf