The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's primary function is to process external PDF files using libraries like pypdf and pdfplumber, and tools like pytesseract for OCR. This creates a high-severity surface for Indirect Prompt Injection (Category 8). Malicious instructions hidden in PDFs could be executed if the agent obeys text extracted from these files.\n
Ingestion points: PDF content is read via pypdf, pdfplumber, and pytesseract in SKILL.md and scripts like extract_form_structure.py and extract_form_field_info.py.\n
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the code snippets or scripts.\n
Capability inventory: The skill possesses powerful write and execute capabilities, including filesystem access (writer.write(), image.save()) and shell command execution.\n
Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is returned to the agent context.\n- [Command Execution] (HIGH): SKILL.md provides explicit instructions and examples for the agent to execute shell commands using pdftotext, qpdf, and pdftk. If an agent is compromised via prompt injection, these tools could be used to perform unauthorized file operations or gain further system information.\n- [External Downloads] (LOW): SKILL.md recommends the installation of several external Python packages (pytesseract, pdf2image, pdfplumber, etc.). While these are standard tools, they represent external dependencies. Per [TRUST-SCOPE-RULE], this is classified as LOW because the skill originates from a trusted organization (Anthropic).\n- [Dynamic Execution] (MEDIUM): The script scripts/fill_fillable_fields.py uses monkeypatching to alter the runtime behavior of the pypdf library. While localized, this practice can introduce instability or be leveraged in more complex exploit chains.

pdf