Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process data from untrusted PDF files.
- Ingestion points: PDF extraction in scripts/extract_form_structure.py and scripts/extract_form_field_info.py.
- Boundary markers: Delimiters and instructions to ignore embedded commands are absent.
- Capability inventory: File system write access via pypdf, pdfplumber, and Pillow; execution of CLI tools (qpdf, pdftotext) is recommended in documentation.
- Sanitization: No sanitization of extracted text is performed before it is passed to the agent context.
- [Dynamic Execution] (LOW): The script scripts/fill_fillable_fields.py uses monkeypatching to modify the pypdf library's DictionaryObject.get_inherited method at runtime to correctly handle specific form attributes.
- [External Downloads] (LOW): The skill documentation recommends unversioned installation of several Python packages (pytesseract, pdf2image) and system-level utilities (poppler-utils, qpdf, pdftk). This finding is downgraded from MEDIUM because the skill is attributed to a trusted organization (Anthropic).
Audit Metadata