Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted PDF files and uses their content, including field IDs, structure, and text, to drive agent actions and script parameters, creating a surface for indirect prompt injection.\n
- Ingestion points: The script
scripts/extract_form_field_info.pyreads internal PDF structure, whilescripts/convert_pdf_to_images.pygenerates images for visual analysis.\n - Boundary markers: The instructions in
forms.mdlack explicit delimiters or warnings to ignore potential commands embedded in PDF metadata or visible text.\n - Capability inventory: The agent can execute scripts that modify the filesystem, specifically
scripts/fill_fillable_fields.pyandscripts/fill_pdf_form_with_annotations.py, based on data extracted from processed PDFs.\n - Sanitization: No sanitization or escaping of field IDs or values is performed before they are processed by internal scripts.\n- [REMOTE_CODE_EXECUTION]: The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary to resolve a functional bug in selection list handling.\n - Evidence: The
monkeypatch_pydpf_methodfunction modifies theDictionaryObject.get_inheritedmethod at runtime. While this is a targeted fix for library compatibility within the skill's primary purpose, runtime modification of library behavior is a dynamic execution pattern that could potentially be used to alter execution flow.
Audit Metadata