Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The
forms.mdfile contains strong instructional overrides such as 'CRITICAL: You MUST complete these steps in order. Do not skip ahead to writing code.' and 'Follow the below steps exactly.' These patterns are designed to bypass the agent's normal decision-making and planning processes. - Indirect Prompt Injection (HIGH): The skill provides a significant attack surface for indirect prompt injection by processing untrusted PDF documents.
- Ingestion points:
scripts/extract_form_field_info.pyandscripts/fill_fillable_fields.pyingest arbitrary data from PDF form fields (IDs and values). - Boundary markers: There are no boundary markers or instructions to the agent to ignore embedded commands in the extracted PDF data.
- Capability inventory: The skill has extensive file-write capabilities across multiple scripts, including
scripts/fill_fillable_fields.pyandscripts/fill_pdf_form_with_annotations.py. - Sanitization: No sanitization or escaping is performed on the extracted PDF metadata or field content before it is processed by the agent or written back to files.
- Dynamic Execution (MEDIUM): The script
scripts/fill_fillable_fields.pyimplements a runtime monkeypatch of thepypdflibrary'sDictionaryObject.get_inheritedmethod. While documented as a bug fix, runtime modification of executable library code is a risky pattern that can be exploited to alter program flow or hide malicious behavior. - External Downloads (LOW):
SKILL.mdandforms.mdprovide instructions to install external dependencies likepytesseractandpdf2imageand suggest using command-line tools likepoppler-utilsandqpdf. While these are well-known tools, they increase the overall attack surface of the environment.
Recommendations
- AI detected serious security threats
Audit Metadata