Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill is designed to ingest and process untrusted external data in the form of PDF files. This creates an attack surface where malicious instructions embedded in a PDF's text, metadata, or visual layout could influence the agent's logic during form-filling and extraction tasks.
- Ingestion Point:
scripts/extract_form_field_info.pyandscripts/convert_pdf_to_images.pyingest untrusted PDF data. - Boundary Markers: Absent. There are no delimiters or specific instructions to ignore content within the processed PDFs.
- Capability Inventory: The skill can write files (
pypdf'sPdfWriter.write), execute subprocesses (via instructions to run shell scripts), and perform image manipulation. - Sanitization: No sanitization or escaping is performed on the text extracted from or intended for the PDF forms.
- [Dynamic Execution] (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary by overwritingDictionaryObject.get_inherited. While the code includes a comment justifying this as a bug workaround, modifying third-party library internals at runtime is a risky pattern that can be used to hide malicious behavior or introduce instability. - [Command Execution] (LOW): The skill instructions (e.g., in
SKILL.mdandreferences/forms.md) guide the agent to execute multiple Python scripts and system utilities likepdftoppm. While these are functional requirements for the skill, they represent a broad capability surface that requires the agent to have shell access.
Audit Metadata