The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to extract text and tables from PDF files (pypdf, pdfplumber) and use this data to perform further actions, such as generating reports or filling forms.
Ingestion points: pypdf.PdfReader in scripts/extract_form_field_info.py, pdfplumber.open in scripts/extract_form_structure.py, and general text extraction in SKILL.md examples.
Boundary markers: None found. Extracted text is treated as raw data without delimiters or instructions for the agent to ignore embedded commands.
Capability inventory: The skill can write files (writer.write), execute shell commands (pdftotext, qpdf, pdftk), and use Python script generation/execution.
Sanitization: No evidence of sanitizing extracted PDF content before it is processed or used in decision-making.
Command Execution (MEDIUM): SKILL.md explicitly instructs the agent to use command-line tools like qpdf, pdftotext, and pdftk. While these are standard tools, if used with filenames or arguments derived from unvetted PDF metadata (e.g., Title/Author extracted via pypdf), it could lead to argument injection vulnerabilities.
Local Data Exposure (LOW): The skill accesses local file paths to read and write PDFs. While expected for a PDF skill, the lack of sanitization on input files creates a risk where a malicious PDF could influence the agent to read or overwrite unintended local files.

pdf