The Agent Skills Directory

[Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection as it is designed to extract and analyze text from external PDFs using pypdf, pdfplumber, and pytesseract (OCR). A malicious PDF could contain hidden instructions that override the agent's behavior. \n- Ingestion points: PDF reading operations in SKILL.md, field extraction in scripts/extract_form_field_info.py, and OCR conversion in scripts/convert_pdf_to_images.py. \n- Boundary markers: Absent. There are no delimiters or instructions to treat extracted PDF content as untrusted data. \n- Capability inventory: The skill can write to the filesystem (PDFs, images, Excel files) and execute shell commands via subprocess (qpdf, pdftk, pdftotext). \n- Sanitization: No validation or sanitization of extracted PDF content is performed. \n- [Command Execution] (MEDIUM): SKILL.md provides and encourages the use of shell command snippets for tools like qpdf, pdftk, and poppler-utils. These tools operate on untrusted input files, which could lead to exploit scenarios if combined with a successful prompt injection. \n- [Dynamic Execution] (MEDIUM): The file scripts/fill_fillable_fields.py implements a runtime monkeypatch of the pypdf library's internal DictionaryObject.get_inherited method. Modifying dependency behavior at runtime is a significant security risk that can introduce stability issues and hide malicious logic.

pdf