The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill processes untrusted PDF documents via pypdf, pdfplumber, and pdf2image. A malicious PDF could contain instructions in its text or metadata designed to override the agent's behavior. Because the skill has file-writing capabilities and executes system commands, this represents a significant attack surface. 1. Ingestion points: PDF files processed in scripts/extract_form_field_info.py, scripts/convert_pdf_to_images.py, and examples in SKILL.md. 2. Boundary markers: None are present in the scripts or instructions. 3. Capability inventory: High-privilege actions including file creation (PdfWriter.write, image.save, json.dump) and shell command execution. 4. Sanitization: No validation or filtering is applied to the extracted PDF content.
Command Execution (MEDIUM): The skill relies on external command-line utilities such as pdftotext, qpdf, and pdftk, executing them via shell commands with arguments that may be derived from untrusted input files.
Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py performs a monkeypatch on the pypdf library at runtime to address a bug in selection list handling, which dynamically modifies the behavior of a dependency.

pdf