Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it extracts and analyzes text from untrusted PDF files.\n
- Ingestion points:
scripts/extract_form_field_info.py,scripts/check_fillable_fields.py, and extraction examples inSKILL.md.\n - Boundary markers: Absent. The skill does not implement delimiters or 'ignore' instructions for the extracted text before it is processed by the agent.\n
- Capability inventory: Extensive PDF manipulation capabilities including file writing (
PdfWriter), metadata extraction, and form filling.\n - Sanitization: Absent. Text extracted via OCR (
pytesseract) or direct reading (pypdf,pdfplumber) is passed to the agent without filtering.\n- Dynamic Execution (LOW):scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary (DictionaryObject.get_inherited) to resolve a known bug in selection list handling. This is a targeted compatibility fix.\n- Command Execution (LOW): TheSKILL.mdguide documents the use of standard system binaries such asqpdf,pdftk, andpdftotext. While these are legitimate utilities, executing them on untrusted files increases the environment's attack surface.
Audit Metadata