Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes external PDF files, creating a surface for indirect prompt injection where malicious instructions could be embedded in documents to influence agent behavior.\n
- Ingestion points: PDF files are read via pypdf, pdfplumber, and poppler-utils in SKILL.md, REFERENCE.md, and several scripts like extract_form_structure.py.\n
- Boundary markers: Absent; the instructions do not specify delimiters to separate untrusted PDF content from agent instructions.\n
- Capability inventory: The skill enables file system writes and shell command execution (e.g., qpdf, pdftotext) based on document processing results.\n
- Sanitization: Absent; there is no evidence of filtering or escaping extracted text before it enters the agent context.\n- [COMMAND_EXECUTION]: The skill provides scripts and instructions for executing standard CLI tools (qpdf, pdftotext, magick) to manipulate PDFs. This behavior is consistent with the skill's stated purpose.
Audit Metadata