Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's primary function is extracting data and text from external PDF documents using
pypdf,pdfplumber, and OCR tools likepytesseract. This workflow is inherently susceptible to indirect prompt injection, where a malicious document could contain instructions designed to override the agent's behavior. - Ingestion points: Text extraction occurs in
SKILL.mdexamples and viascripts/extract_form_field_info.pywhich reads field names and metadata. - Boundary markers: The instructions in
forms.mddo not provide clear delimiters or 'ignore instructions' warnings when the agent processes extracted text. - Capability inventory: The agent has the ability to read/write files and execute the provided Python scripts in the
scripts/directory. - Sanitization: There is no evidence of sanitization or filtering of the content extracted from the PDFs before it is returned to the agent.
- [COMMAND_EXECUTION]: The skill relies on the execution of multiple localized Python scripts and system-level binaries (e.g.,
qpdf,pdftotext,pdftk) to perform its tasks. Theforms.mdfile provides specific command-line instructions for the agent to follow.
Audit Metadata