Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted PDF data which can then influence the agent's actions or logic.
- Ingestion Points: SKILL.md, scripts/convert_pdf_to_images.py, and scripts/extract_form_field_info.py extract text and metadata from user-provided PDFs.
- Boundary Markers: Absent. There are no delimiters or instructions to treat PDF-extracted text as untrusted content.
- Capability Inventory: Subprocess calls to qpdf, pdftotext, and pdftk; file writes in fill_pdf_form_with_annotations.py and fill_fillable_fields.py.
- Sanitization: None. Field IDs and text content from PDFs are used directly in logic and file generation.
- [Dynamic Execution] (MEDIUM): scripts/fill_fillable_fields.py employs runtime library modification.
- Evidence: The monkeypatch_pydpf_method function (line 98) replaces pypdf.generic.DictionaryObject.get_inherited at runtime. This technique can be used to hide malicious logic or bypass expected library behavior.
- [Command Execution] (MEDIUM): Heavy reliance on external command-line utilities.
- Evidence: Usage of pdftotext, qpdf, and pdftk is documented in SKILL.md (lines 106-135). Insecure handling of filenames or PDF metadata in these commands could lead to command injection.
- [Prompt Injection] (LOW): Use of high-severity instructional language.
- Evidence: forms.md contains several 'CRITICAL' and 'REQUIRED' markers designed to override standard agent decision-making.
Recommendations
- AI detected serious security threats
Audit Metadata