Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes content from external PDF files, which creates a potential surface for indirect prompt injection attacks.
- Ingestion points: Text and data extraction are performed using
pypdf,pdfplumber, andpdftotextas described inSKILL.mdandreference.md. - Boundary markers: The skill does not implement delimiters or provide specific instructions to the agent to treat extracted content as untrusted data.
- Capability inventory: The agent can execute local Python scripts (e.g.,
scripts/fill_fillable_fields.py) and write files to the local system, which could be leveraged if malicious instructions are processed. - Sanitization: No sanitization or filtering is performed on the text extracted from PDF documents before it is used by the agent.
- [COMMAND_EXECUTION]: The skill utilizes dynamic code execution and system commands for document processing.
- Evidence: The script
scripts/fill_fillable_fields.pyimplements a monkeypatch on thepypdflibrary'sDictionaryObject.get_inheritedmethod to correct a bug in selection list processing. - Evidence: Documentation in
SKILL.mdandreference.mdinstructs the agent to execute various command-line utilities includingpdftotext,qpdf,pdftk, andpdfimagesfor PDF manipulation.
Audit Metadata