Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted PDF files that may contain malicious instructions designed to hijack the agent's workflow.
- Ingestion points: PDF text and structure are extracted using
pypdfandpdfplumber(e.g., inscripts/extract_form_field_info.py). - Boundary markers: None. The agent is not instructed to isolate or sanitize extracted content.
- Capability inventory: The skill can write files to disk, including generated PDFs (
PdfWriter.write), PNG images (Image.save), and JSON metadata. - Sanitization: No validation or escaping is applied to extracted data before it influences agent logic or file creation.
- [Dynamic Execution] (MEDIUM):
scripts/fill_fillable_fields.pycontains amonkeypatch_pydpf_methodfunction that modifies thepypdflibrary at runtime. This practice of altering third-party library internals is fragile and can be exploited to hide malicious behavior or bypass intended security boundaries. - [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill requires several external libraries (
pypdf,pdfplumber,reportlab,pandas,pytesseract,pdf2image,Pillow). These represent an expanded attack surface and are not pinned to specific versions, which is a best-practice violation.
Recommendations
- AI detected serious security threats
Audit Metadata