Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted PDF documents and images.
- Ingestion points: PDF content is extracted using pypdf and pdfplumber, and converted to images via pdf2image in scripts/convert_pdf_to_images.py.
- Boundary markers: No delimiters or instructions are used to distinguish untrusted PDF content from agent instructions.
- Capability inventory: The skill has the ability to write files to the filesystem and execute external CLI tools.
- Sanitization: Extracted text and image data are not sanitized or validated before processing.
- [COMMAND_EXECUTION]: The skill uses external system binaries and dynamic code modification.
- Documentation in SKILL.md and reference.md explicitly instructs the use of system tools like qpdf, pdftotext, and pdftk.
- The script scripts/fill_fillable_fields.py implements a monkeypatch at runtime for the pypdf library's DictionaryObject.get_inherited method to handle specific form field formatting issues.
- [EXTERNAL_DOWNLOADS]: The documentation references the installation of multiple external Python and system packages.
- SKILL.md and reference.md suggest installing packages such as pytesseract, pdf2image, pdfplumber, and pypdfium2 via pip.
- JavaScript libraries like pdf-lib and pdfjs-dist are also referenced for advanced workflows.
Audit Metadata