Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted data from PDF documents via text extraction (pypdf, pdfplumber) and OCR (pytesseract). The workflow in FORMS.md explicitly requires the agent to analyze these inputs and determine field purposes, providing a direct vector for malicious instructions hidden in document content or layout to influence agent logic. No boundary markers or sanitization are present.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes external CLI tools such as qpdf, pdftotext, and pdfimages via subprocess calls. Additionally, scripts/fill_fillable_fields.py performs runtime monkeypatching of the pypdf library. These techniques increase the attack surface if document metadata or filenames are maliciously crafted.
- [EXTERNAL_DOWNLOADS] (LOW): The skill depends on multiple third-party Python packages (pypdf, pdfplumber, reportlab, pytesseract, pdf2image, pypdfium2, pandas, Pillow) and system binaries (poppler-utils, qpdf, pdftk). These dependencies require manual verification and installation in the host environment.
Recommendations
- AI detected serious security threats
Audit Metadata