Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to ingest and process text from external PDF files, which represents an indirect prompt injection surface. Maliciously crafted documents could potentially contain instructions that the agent might follow if not properly delimited.
- Ingestion points: PDF content is read and extracted in the 'Quick Start' section of
SKILL.md,pdfplumberexamples, and viascripts/extract_form_structure.pywhich extracts word-level text. - Boundary markers: No specific delimiters or warnings are used in the scripts or the instructional guides to separate untrusted PDF content from agent instructions.
- Capability inventory: The skill provides capabilities for reading, writing, and modifying files (PDFs, JSON, images) and instructions for the agent to execute specific Python scripts and CLI tools.
- Sanitization: There is no evidence of sanitization or filtering of the text extracted from PDFs before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill provides and instructs the agent to execute several Python scripts located in the
scripts/directory, as well as command-line utilities such asqpdf,pdftotext, andpdfimages. These operations are consistent with the skill's primary purpose of PDF processing. - [PROMPT_INJECTION]: The instructions in
forms.mdandSKILL.mddirect the agent's operational workflow. These instructions are functional and do not attempt to bypass core safety guardrails or maliciously override system prompts.
Audit Metadata