Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains a specific instruction to "Load complete PAI context" by reading a file at
~/.claude/PAI/SKILL.md. This file is used to define the agent's identity, contact lists, and security rules. By forcing the agent to load configuration from an external local file before starting tasks, the skill creates a mechanism for instruction redirection or safety filter bypass through unmanaged content. - [PROMPT_INJECTION]: The skill's primary function is to extract text, tables, and metadata from user-provided PDF files. It lacks the use of boundary markers or explicit sanitization logic for this extracted content. This presents a surface for indirect prompt injection, where an attacker could embed instructions within a document that the agent might inadvertently follow after processing.
- [COMMAND_EXECUTION]: The script
Scripts/fill_fillable_fields.pyimplements a runtime monkeypatch of thepypdflibrary (DictionaryObject.get_inherited). Dynamically altering the behavior of third-party libraries during execution is a high-risk practice that can hide malicious logic and complicates static security analysis of the skill's dependencies. - [COMMAND_EXECUTION]: The skill documentation and helper scripts facilitate the execution of multiple external CLI tools (including
qpdf,pdftotext,pdftk, andpdfimages) and Python sub-scripts. This relies on the agent environment having these tools installed and poses a risk if inputs to these commands are not strictly validated against shell injection or path traversal.
Audit Metadata