Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external PDF files, creating a significant attack surface for indirect prompt injection.
- Ingestion points: PDF data is loaded via
pypdfinextract_form_field_info.py,fill_fillable_fields.py, andfill_pdf_form_with_annotations.py, as well aspdfplumberinSKILL.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are used when the agent processes the extracted text or form data.
- Capability inventory: The skill possesses the capability to write and modify files (
PdfWriter.write) and perform complex operations based on PDF contents. - Sanitization: The skill lacks sanitization for the text or metadata extracted from PDFs before it is presented to the agent context.
- Dynamic Execution (MEDIUM): The file
scripts/fill_fillable_fields.pyimplements a monkeypatching technique to overrideDictionaryObject.get_inheritedin thepypdflibrary at runtime. While this is used to address a specific library bug, dynamic modification of imported libraries is a risky practice that can lead to unexpected behavior or be exploited if the patching logic is compromised. - Command Execution (LOW): The
SKILL.mdfile documentation encourages the use of system-level command-line tools such asqpdf,pdftk, andpdftotext, which increases the agent's operational footprint and reliance on the host environment's shell capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata