Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted PDF data to extract text and structure which then informs subsequent agent actions.
- Ingestion points:
scripts/extract_form_field_info.pyandscripts/extract_form_structure.pyread external PDF content. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing extracted text.
- Capability inventory: The agent has the ability to write files via
scripts/fill_fillable_fields.pyandscripts/fill_pdf_form_with_annotations.py. - Sanitization: No sanitization or validation of the extracted PDF text is performed before it is used by the agent.
- [COMMAND_EXECUTION]: The skill's workflow depends on the execution of multiple Python scripts and external command-line utilities (e.g.,
qpdf,pdftotext,pdftk, andmagick) to perform file transformations. - [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pyutilizes runtime monkeypatching of thepypdflibrary'sDictionaryObject.get_inheritedmethod to modify its behavior for specific PDF metadata handling. - [CREDENTIALS_UNSAFE]:
SKILL.mdincludes a code example for PDF encryption that uses hardcoded literal strings ("userpassword","ownerpassword") as secrets, which could lead to insecure practices if copied directly by a user.
Audit Metadata