Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection. It is designed to ingest and extract text/data from untrusted PDF files. Given its broad capabilities to write files, modify PDFs, and execute system-level commands, a malicious PDF could embed instructions designed to override agent behavior or exfiltrate processed data.
- Ingestion points: Multiple scripts (
extract_form_structure.py,extract_form_field_info.py,fill_fillable_fields.py) read external PDF content. - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat PDF content as untrusted data.
- Capability inventory: Includes subprocess execution (
qpdf,pdftk), file writing (PdfWriter), and OCR. - Sanitization: No sanitization or safety filtering of the extracted PDF content is implemented.
- COMMAND_EXECUTION (HIGH): The documentation and suggested usage in
SKILL.mdrely heavily on external CLI tools such asqpdf,pdftk, andpdftotext. If the agent constructs these shell commands using unsanitized, user-provided filenames, it is vulnerable to command injection attacks. - EXTERNAL_DOWNLOADS (LOW): The skill requires several external Python libraries (
pypdf,pdfplumber,pytesseract) and system packages (poppler-utils,qpdf). While these are standard tools, they increase the overall complexity and potential for supply-chain or parser-level vulnerabilities. - DYNAMIC_EXECUTION (MEDIUM): The script
fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary (DictionaryObject.get_inherited). While used here for a functional fix, runtime code modification is a sensitive operation that can have side effects on other components sharing the environment.
Recommendations
- AI detected serious security threats
Audit Metadata