Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes external PDF files, creating a surface for indirect prompt injection where malicious instructions could be embedded in document text or form metadata.
- Ingestion points: Data enters the agent's context through text and metadata extraction in
scripts/extract_form_structure.py,scripts/extract_form_field_info.py, and library code snippets inSKILL.md. - Boundary markers: No specific delimiters or safety instructions are used to separate extracted PDF content from the agent's core instructions.
- Capability inventory: The skill has broad capabilities including file system access (read/write) and execution of external command-line utilities.
- Sanitization: Extracted content is not sanitized or escaped before being presented to the agent.
- [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pyperforms a runtime monkeypatch of thepypdflibrary. It modifiesDictionaryObject.get_inheritedat runtime to adjust handling of form field attributes, which constitutes dynamic code modification. - [COMMAND_EXECUTION]: Documentation in
SKILL.mdandforms.mdsuggests the use of various CLI tools such asqpdf,pdftotext, andmagickfor PDF and image manipulation. These are standard operations for the skill's intended purpose. - [EXTERNAL_DOWNLOADS]: The skill references several well-known technology libraries such as
pypdf,pdfplumber, andreportlab. These are recognized as well-known, trusted services and are documented neutrally as functional requirements.
Audit Metadata