Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from PDF files through ingestion points in scripts like extract_form_structure.py and extract_form_field_info.py. Extracted labels and text are used to dynamically build structured JSON files (fields.json), which are then used for form filling. The lack of boundary markers or sanitization for the extracted content across this multi-step chain allows potentially malicious embedded instructions to influence agent behavior.
- [COMMAND_EXECUTION]: The skill documentation instructs the agent to execute system-level commands using utilities like Ghostscript (gs), qpdf, pdftk, and ImageMagick (magick) for PDF compression, modification, and conversion.
- [DYNAMIC_EXECUTION]: The script fill_fillable_fields.py implements a runtime monkeypatch of the pypdf library's internal logic to address list-handling issues in PDF attributes. This is a localized modification for library compatibility and does not execute code derived from untrusted external sources.
- [EXTERNAL_DOWNLOADS]: Documentation references installation of well-known libraries and tools like pytesseract, pdf2image, and poppler-utils, which are standard in the PDF domain.
Audit Metadata