Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing various command-line utilities (e.g., qpdf, pdftotext, pdfimages, magick, convert, pdftoppm) and local Python scripts (e.g., scripts/extract_form_field_info.py, scripts/fill_fillable_fields.py) to perform PDF operations. While these are standard tools for the described purpose, invoking shell commands with file paths provided as arguments requires careful handling of special characters to prevent command injection vectors in filenames.\n- [PROMPT_INJECTION]: The skill is designed to ingest and process data from external PDF files, which introduces a surface for indirect prompt injection.\n
- Ingestion points: Content is extracted from PDFs using multiple scripts and libraries including scripts/extract_form_field_info.py, scripts/extract_form_structure.py, pdfplumber, and pypdf.\n
- Boundary markers: The instructions and prompt templates within the skill do not specify the use of delimiters or provide instructions for the agent to disregard potentially malicious instructions embedded in the PDF text.\n
- Capability inventory: The agent has capabilities to read/write local files and execute shell commands and Python scripts.\n
- Sanitization: There is no evidence of sanitization or validation of the extracted text before it is presented to the agent's context.
Audit Metadata