The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests data from external PDF files and processes it without implementing protective delimiters or sanitization. This could allow an attacker to embed malicious instructions within a PDF to hijack the agent's behavior.
Ingestion points: SKILL.md (using pdfplumber), scripts/extract_form_structure.py, and scripts/extract_form_field_info.py.
Boundary markers: Absent; extracted text is not wrapped in any markers to distinguish it from system instructions.
Capability inventory: The skill has the ability to execute shell commands via bash, write files to the local system, and use python_repl for data processing.
Sanitization: No sanitization or filtering is performed on the content extracted from PDF documents.
[COMMAND_EXECUTION]: The skill uses the bash tool to execute its own Python scripts for core tasks like Markdown-to-PDF conversion, image rendering, and form filling.
[EXTERNAL_DOWNLOADS]: The skill instructions provide the agent with commands to install legitimate dependencies such as reportlab from the official Python package registry if they are missing from the environment.

pdf