PDF Processing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection. It instructs the agent to analyze untrusted PDF content and images to 'determine the purpose of each form field,' which allows an attacker to embed malicious instructions in a PDF to hijack the agent's workflow. 1. Ingestion points: pypdf, pdfplumber, and pdf2image are used to process external PDF files. 2. Boundary markers: Absent; there are no instructions for the agent to ignore content inside the PDFs. 3. Capability inventory: The skill can write files, modify forms, and lead the agent to execute shell commands. 4. Sanitization: None.
- COMMAND_EXECUTION (MEDIUM): The skill encourages the agent to use command-line utilities (qpdf, pdftotext, pdftk) which could be vulnerable to argument injection from untrusted PDF metadata.
- REMOTE_CODE_EXECUTION (MEDIUM): The script scripts/fill_fillable_fields.py performs runtime monkeypatching of the pypdf library to alter the behavior of DictionaryObject.get_inherited.
Recommendations
- AI detected serious security threats
Audit Metadata