Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes text, metadata, and form data from untrusted PDF documents. 1. Ingestion points:
scripts/extract_form_field_info.py,scripts/check_fillable_fields.py, andSKILL.md(via pypdf and pdfplumber). 2. Boundary markers: No specific delimiters or instructions are used to isolate PDF content from the agent's system prompt. 3. Capability inventory: The skill can execute shell commands, write files, and manipulate document structures. 4. Sanitization: No sanitization or validation of extracted text is performed before it enters the agent's context. - [COMMAND_EXECUTION]: The skill relies on several external system binaries (
pdftotext,qpdf,pdftk,pdfimages,pdftoppm) for document processing. While these are standard tools, their use via shell commands increases the attack surface if input paths or arguments are manipulated. Additionally,SKILL.mdreferences ascripts/generate_schematic.pyfile which is missing from the provided source code. - [SAFE]:
scripts/fill_fillable_fields.pyimplements a runtime monkeypatch for thepypdflibrary to resolve a known bug with selection list fields. This is a static code modification for functional purposes and does not pose a direct security risk.
Audit Metadata