Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill has a significant vulnerability surface because it processes untrusted PDF data and possesses capabilities to write files and execute commands. Evidence: Ingestion points are present in extract_form_field_info.py and convert_pdf_to_images.py; Boundary markers and sanitization for PDF content are absent; Capabilities include file writes in fill_fillable_fields.py and fill_pdf_form_with_annotations.py, alongside suggested CLI execution in SKILL.md.
- Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py performs a runtime monkeypatch on pypdf.generic.DictionaryObject.get_inherited. While the implementation appears to be a legitimate bug fix for a specific library version, runtime modification of library behavior is a non-standard practice.
- External Dependencies (LOW): The skill requires multiple third-party libraries (pypdf, pdfplumber, reportlab, etc.). These are evaluated as LOW severity findings as they are standard packages from trusted repositories and registries per the trust-scope-rule.
Recommendations
- AI detected serious security threats
Audit Metadata