Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted PDF data through scripts like
extract_form_field_info.pyandconvert_pdf_to_images.py. - Ingestion points: Untrusted PDF files are read by
scripts/check_fillable_fields.py,scripts/extract_form_field_info.py, andpdfplumberexamples inSKILL.md. - Boundary markers: Absent. The instructions in
forms.mdandSKILL.mddo not provide delimiters or warnings for the agent to ignore instructions embedded within the PDF content. - Capability inventory: The skill has significant capabilities, including writing files to the local system (
pypdf.PdfWriter.write,PIL.Image.save) and executing local Python scripts that manipulate the file system. - Sanitization: Absent. Data extracted from the PDF (such as form labels or text) is used directly to guide the agent's logic in filling forms and creating annotations, creating a path for an attacker to influence the agent via the PDF's visual or structural content.
- Dynamic Execution (MEDIUM): The script
scripts/fill_fillable_fields.pyimplements amonkeypatch_pydpf_method()function. - Evidence: The function overrides
pypdf.generic.DictionaryObject.get_inheritedat runtime. While the comments state this is a workaround for a library bug, runtime modification of library internals is a suspicious pattern that can be used to alter data processing or intercept information. - Command Execution (LOW): The skill frequently uses subprocess-style execution of local Python scripts and system utilities like
qpdf,pdftotext, andpdfimages. While these are part of the stated functionality, they increase the attack surface if input paths are not properly validated by the calling agent.
Recommendations
- AI detected serious security threats
Audit Metadata