Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill extracts text and metadata from user-provided PDF files, creating a surface for indirect prompt injection if the content contains malicious instructions.
- Ingestion points: Text extraction occurs in
SKILL.md(viapypdfandpdfplumber),scripts/extract_form_structure.py, andscripts/extract_form_field_info.py. OCR-based extraction usingpytesseractis also supported. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are specified when presenting extracted text to the agent.
- Capability inventory: The skill can write to the local filesystem (saving PDFs and images) and executes several CLI tools via subprocesses.
- Sanitization: There is no evidence of filtering or sanitization of the extracted PDF content before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill relies on executing external command-line utilities for advanced PDF operations.
- Evidence:
SKILL.md,forms.md, andreference.mdcontain instructions for usingpdftotext,qpdf,pdftk,pdftoppm,pdfimages, andmagick(ImageMagick) to merge, split, and render PDF files. These tools are executed as subprocesses using the agent's environment capabilities.
Audit Metadata