Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous instructions and scripts that execute local commands and system utilities. It leverages tools such as
qpdf,pdftk, andpoppler-utils(includingpdftotextandpdfimages) for core PDF operations. These are standard tools for document manipulation and are used according to their intended purposes. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted PDF documents, which serves as an ingestion point for external data. This creates a potential surface for indirect prompt injection if a processed document contains malicious instructions intended to manipulate the agent's behavior during content analysis.
- Ingestion points: PDF files are read and processed by
scripts/convert_pdf_to_images.pyandscripts/extract_form_field_info.py. - Boundary markers: No explicit delimiters are used to separate extracted document content from the agent's internal instruction set.
- Capability inventory: The agent has access to file-writing tools via
pypdfand is instructed to execute local scripts for document processing. - Sanitization: There is no evidence of sanitization or filtering applied to the text or image data extracted from the documents.
- [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary. It specifically modifiesDictionaryObject.get_inheritedto fix a known bug in how the library handles selection list fields. This is a targeted functional fix and does not exhibit malicious patterns. - [SAFE]: All referenced Python and Node.js libraries, such as
pypdf,pdfplumber,reportlab, andpdf-lib, are standard, widely-used packages from established registries.
Audit Metadata