Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted PDF documents, creating an attack surface for indirect prompt injection.\n
- Ingestion points: PDF content is read via
pypdfandpdfplumberin utility scripts and code examples.\n - Boundary markers: No specific delimiters are used to separate external PDF data from the agent's internal instructions.\n
- Capability inventory: The agent can write files and execute system commands like
qpdfandpdftk.\n - Sanitization: Extracted text is not sanitized before it is interpreted by the agent.\n- [DYNAMIC_EXECUTION]: The skill employs runtime monkeypatching to modify the behavior of an external library.\n
- Evidence:
scripts/fill_fillable_fields.pycontainsmonkeypatch_pydpf_method, which dynamically overridespypdf.generic.DictionaryObject.get_inheritedto resolve a bug in PDF form handling.
Audit Metadata