Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The forms.md file employs high-priority directive language such as 'CRITICAL' and mandatory workflow constraints to override standard agent decision-making.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection from malicious content within processed PDFs. Ingestion points: PDF reading operations in scripts/check_fillable_fields.py, scripts/extract_form_field_info.py, and scripts/fill_fillable_fields.py. Boundary markers: Absent. Capability inventory: File system read/write, image processing, and shell command execution. Sanitization: Absent; content extracted from PDFs is processed directly in the agent context.
- [COMMAND_EXECUTION]: Documentation in SKILL.md and reference.md provides templates for executing system commands including qpdf, pdftotext, and pdftk, instructing the agent to run these tools for document manipulation.
- [REMOTE_CODE_EXECUTION]: The script scripts/fill_fillable_fields.py uses a monkeypatching technique to dynamically redefine library methods at runtime. While documented as a bug fix for the pypdf library, this dynamic code modification represents a technique that can be used to alter program logic unexpectedly.
Audit Metadata