Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly susceptible to indirect prompt injection through the processing of untrusted PDF files.
- Ingestion points: The skill uses
pypdf,pdfplumber, andpytesseractto read and extract text from external PDF files (e.g.,PdfReader("document.pdf")inSKILL.md). - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within the processed PDF content are present in the scripts or
forms.mdinstructions. - Capability inventory: The skill possesses significant side-effect capabilities, including writing PDF files (
PdfWriter), saving images (Pillow.save), and outputting extracted text for further agent reasoning. - Sanitization: There is no evidence of sanitization or filtering for malicious instructions embedded in the PDF metadata or extracted text before the agent processes it.
- [Dynamic Execution] (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary. - Evidence: The
monkeypatch_pydpf_methodfunction replacespypdf.generic.DictionaryObject.get_inheritedwith a custom implementation at runtime to circumvent a bug in the library's handling of choice fields. - Risk: While the patch appears targeted and benign in intent, runtime modification of imported libraries is a high-risk technique that can be used to hide malicious behavior or introduce instability.
Recommendations
- AI detected serious security threats
Audit Metadata