The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted data from PDF files through text extraction and OCR. This data is then used by the agent to perform sensitive operations such as filling forms and creating document annotations without sanitization.
Ingestion points: pdfplumber.open() in SKILL.md and visual image analysis in forms.md.
Boundary markers: Absent; there are no instructions to delimit or treat the extracted text as untrusted.
Capability inventory: Writing modified PDFs (PdfWriter.write), saving images (Image.save), and executing various local Python scripts via the command line.
Sanitization: Absent; extracted data is used directly for document generation.
[Dynamic Execution] (MEDIUM): The script scripts/fill_fillable_fields.py implements runtime monkeypatching of the pypdf library.
Evidence: The function monkeypatch_pydpf_method overrides DictionaryObject.get_inherited at runtime to work around a specific formatting bug in the library. Modifying library internals dynamically can lead to instability or be exploited if library state is influenced by untrusted data.
[Prompt Injection] (LOW): SKILL.md contains hardcoded instructions regarding 'Nano Banana Pro' that mandate the automatic generation of scientific schematics by default, which could override user intent or lead to unintended external skill usage.

pdf