Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is primarily designed to ingest and process data from external, untrusted PDF files using libraries like
pypdfandpdfplumber. - Ingestion points: Found in
SKILL.md(e.g.,PdfReader("document.pdf")),scripts/check_fillable_fields.py, andscripts/extract_form_field_info.py. - Boundary markers: The instructions in
forms.mddo not provide delimiters or instructions for the agent to treat extracted PDF content as untrusted data, increasing the risk that embedded malicious instructions could be obeyed. - Capability inventory: The skill grants the agent the ability to write files (
PdfWriter.write), execute shell commands (qpdf,pdftotext), and perform OCR (pytesseract). - Sanitization: There is no evidence of sanitization or filtering of the extracted text or metadata before it is presented to the agent for analysis or decision-making.
- [Dynamic Execution] (MEDIUM): The script
scripts/fill_fillable_fields.pyimplementsmonkeypatch_pydpf_method(), which modifies thepypdflibrary'sDictionaryObject.get_inheritedmethod at runtime. While documented as a bug fix, runtime modification of third-party libraries is a risky pattern that can be used to alter security-critical behavior. - [Command Execution] (LOW):
SKILL.mdexplicitly instructs the agent to use various command-line utilities (qpdf,pdftk,poppler-utils). While these are standard tools, they expand the attack surface if the agent is tricked into passing malicious arguments via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata