Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external PDF files and extracts text, which represents an indirect prompt injection surface.\n
- Ingestion points: Text extraction operations in SKILL.md and automated structure analysis in scripts/extract_form_structure.py.\n
- Boundary markers: No specific delimiters or "ignore instructions" prompts are implemented when processing extracted content.\n
- Capability inventory: File system writes (creating new PDFs) and shell command execution (image processing and PDF utilities).\n
- Sanitization: Extracted text is used directly by the agent without specific filtering for prompt-like strings.\n- [COMMAND_EXECUTION]: The skill utilizes several standard command-line utilities including pdftotext, qpdf, and magick (ImageMagick) to perform document manipulations. These are well-known tools used here for their intended functionality.\n- [REMOTE_CODE_EXECUTION]: The script scripts/fill_fillable_fields.py performs a runtime monkeypatch of the pypdf library's get_inherited method. This is a transparently implemented functional workaround to fix specific PDF field attribute parsing and is categorized as low-risk dynamic code modification in this context.
Audit Metadata