The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill instructs the agent to ingest and visually analyze untrusted PDF files (via scripts like extract_form_field_info.py and convert_pdf_to_images.py) to determine how to fill forms. This creates a high-risk surface where malicious instructions embedded in a PDF could influence the agent to write unauthorized data to files or perform unintended actions. Ingestion points: PDFs are parsed and converted to images across multiple scripts. Boundary markers: The documentation in forms.md lacks delimiters or guardrails to separate document content from agent instructions. Capability inventory: The agent can write PDF, image, and JSON files and execute Python scripts. Sanitization: No content sanitization is performed on data extracted from documents.
Dynamic Execution (MEDIUM): The script fill_fillable_fields.py implements runtime monkeypatching of the pypdf library. Dynamic modification of class methods at runtime is a sensitive operation that could be abused if the patching logic were influenced by untrusted input.
Unverifiable Dependencies & Remote Code Execution (LOW): The skill relies on several external packages like pypdf, pdfplumber, and pdf-lib. These are standard tools, and the severity is rated LOW because the skill's source (Anthropic) is a trusted organization.

pdf