Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): Significant attack surface for untrusted content to influence agent behavior.
- Ingestion points: Untrusted PDF data is processed in scripts/extract_form_field_info.py and HTML data in scripts/convert_html_to_pdf.py.
- Boundary markers: Absent. No instructions are provided to the agent to treat document content as untrusted or delimited.
- Capability inventory: The skill has significant write permissions and execute capabilities via subprocess calls to Chrome.
- Sanitization: Absent. Extracted document data is handled as raw text without validation.
- Command Execution (MEDIUM): Scripts execute system binaries including google-chrome and qpdf with arguments derived from input file paths, which could be exploited to access unauthorized local files.
- Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py performs a runtime monkeypatch of the pypdf library, a pattern that can hide malicious behavior or cause unexpected side effects.
Recommendations
- AI detected serious security threats
Audit Metadata