The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to process untrusted PDF documents, creating a significant surface for indirect prompt injection (Category 8). * Ingestion points: PDFs are ingested via pypdf in scripts/extract_form_field_info.py and scripts/check_fillable_fields.py, and via pdfplumber and pytesseract in SKILL.md examples. * Boundary markers: No markers or delimiters are defined in forms.md to isolate extracted PDF content from agent instructions. * Capability inventory: The skill allows writing files (PdfWriter.write), saving images (image.save), and executing Python scripts. * Sanitization: There is no evidence of sanitization for text extracted from PDF metadata, OCR, or form fields.
[Dynamic Execution] (MEDIUM): scripts/fill_fillable_fields.py contains a monkeypatch_pydpf_method function that modifies pypdf.generic.DictionaryObject.get_inherited at runtime. This dynamic modification of library behavior (Category 10) is risky and can lead to unexpected execution paths.
[Command Execution] (LOW): The agent is instructed to run shell commands (e.g., qpdf, pdftotext, pdftk) and internal scripts using filenames as arguments. Maliciously crafted filenames in untrusted data could lead to command injection if not handled securely by the agent.
[External Downloads] (LOW): SKILL.md recommends installing packages such as pypdf, pdfplumber, pandas, reportlab, and pytesseract. These are trusted libraries, so the download risk is categorized as LOW per [TRUST-SCOPE-RULE].

pdf