Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted PDF documents.
- Ingestion points: Content is extracted using 'scripts/extract_form_structure.py', 'scripts/extract_form_field_info.py', and rendered via 'scripts/convert_pdf_to_images.py'.
- Boundary markers: There are no mechanisms or instructions provided to the agent to isolate or disregard potential instructions embedded within the PDF content.
- Capability inventory: The agent can execute local Python scripts, system CLI tools (like qpdf and magick), and write files to the local disk.
- Sanitization: Text extracted from the PDF is presented to the agent without escaping or sanitization, allowing malicious instructions to potentially be interpreted as valid commands.
- [COMMAND_EXECUTION]: The skill's workflow involves running several command-line tools and scripts, including 'qpdf', 'pdftotext', and 'magick', to process files and images as intended.
- [PROMPT_INJECTION]: The script 'scripts/fill_fillable_fields.py' performs dynamic modification (monkeypatching) of the 'pypdf' library at runtime to ensure correct handling of specific PDF field attributes.
Audit Metadata