Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [SAFE]: No malicious behavior, obfuscation, or unauthorized data access was detected. The skill is authored by a trusted entity and uses legitimate dependencies.
- [PROMPT_INJECTION]: The skill processes untrusted PDF documents, presenting an inherent surface for indirect prompt injection. 1. Ingestion points:
pypdfis used for form extraction andpdfplumberis used for text/table parsing. 2. Boundary markers:forms.mdcontains strict workflow instructions ('CRITICAL: You MUST complete these steps in order') to constrain agent behavior. 3. Capability inventory: The skill can write files to the local disk and execute subprocesses for PDF tools. 4. Sanitization:scripts/check_bounding_boxes.pyandscripts/fill_fillable_fields.pyprovide structural validation and verification of field IDs/values, although no text content filtering is implemented. This surface is considered a standard operational risk for document processing tools. - [COMMAND_EXECUTION]: The skill provides instructions for using standard PDF utilities (
qpdf,pdftotext,pdftk) on local files, which is appropriate for its primary function. - [REMOTE_CODE_EXECUTION]:
scripts/fill_fillable_fields.pyapplies a runtime monkeypatch to thepypdflibrary to resolve a specific selection list bug. This is a static code modification for compatibility and does not facilitate the execution of untrusted external code.
Audit Metadata