Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it is designed to ingest and process data from untrusted PDF documents.
- Ingestion points: The scripts
extract_form_field_info.py,fill_fillable_fields.py, andpdfplumberexamples inSKILL.mdread and analyze content directly from PDF files provided by users. - Boundary markers: The instructions in
forms.mddo not include explicit warnings or delimiters to help the agent distinguish between its instructions and potentially malicious instructions embedded within the PDF text or metadata. - Capability inventory: The skill possesses extensive capabilities, including reading/writing local files and executing shell commands (e.g.,
qpdf,pdftotext), which could be leveraged if an injection is successful. - Sanitization: There is no evidence of content sanitization or validation to filter out potential instructions from the PDF content before it is presented to the agent.
- [COMMAND_EXECUTION]: The skill relies on the execution of multiple local Python scripts and external command-line utilities.
SKILL.mdandreference.mdinstruct the agent to use CLI tools such asqpdf,pdftotext,pdftk, andpdfimagesfor document manipulation.- The skill includes several helper scripts (e.g.,
scripts/convert_pdf_to_images.py,scripts/fill_pdf_form_with_annotations.py) that the agent is expected to run to perform its tasks. - [REMOTE_CODE_EXECUTION]: The script
fill_fillable_fields.pyperforms dynamic modification of a third-party library at runtime. - The function
monkeypatch_pydpf_methodoverridespypdf.generic.DictionaryObject.get_inheritedto fix a specific bug in thepypdflibrary's handling of selection lists. While this logic is static and intended for compatibility, it represents dynamic execution behavior.
Audit Metadata