Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pyimplements a runtime monkeypatch of thepypdflibrary. It dynamically overridespypdf.generic.DictionaryObject.get_inheritedwith a custom function to modify how the library handles selection list formatting. This runtime modification of third-party code behavior is a significant dynamic execution pattern. - [INDIRECT_PROMPT_INJECTION]: The skill processes external, untrusted PDF documents, which serves as an ingestion point for potentially malicious instructions.
- Ingestion points: Untrusted PDF files are processed in
scripts/extract_form_field_info.py,scripts/convert_pdf_to_images.py, andscripts/fill_fillable_fields.py. - Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands within the PDF content or form field metadata.
- Capability inventory: The skill can perform local file operations (writing PDF, PNG, and JSON files) and the documentation suggests the execution of several command-line utilities (
qpdf,pdftotext,pdftk). - Sanitization: The skill includes structural validation for bounding boxes in
scripts/check_bounding_boxes.py, but it does not sanitize text or metadata extracted from the PDFs to prevent adversarial instructions from influencing the agent.
Audit Metadata