Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is designed to process untrusted PDF files and their extracted contents (text, tables, and images). This creates a significant surface for indirect prompt injection attacks. Malicious instructions embedded in a PDF could influence the agent's behavior during the multi-step analysis workflow described in
forms.md. - Ingestion points: PDF files read via
pypdfandpdfplumber, and images generated viascripts/convert_pdf_to_images.py. - Capabilities: File system write access (
PdfWriter), metadata modification, and command-line tool execution. - Sanitization: No evidence of sanitization or delimiters to isolate untrusted content from the agent's reasoning.
- [COMMAND_EXECUTION] (MEDIUM): The
SKILL.mdfile documents and encourages the use of various command-line utilities (qpdf,pdftotext,pdftk,pdfimages) via subprocesses. This introduces risks if the agent constructs shell commands using untrusted inputs like filenames or internal document data. - [DYNAMIC_EXECUTION] (MEDIUM):
scripts/fill_fillable_fields.pycontains a functionmonkeypatch_pydpf_method()that dynamically modifies thepypdf.generic.DictionaryObject.get_inheritedmethod at runtime. While used here as a bug workaround, runtime library modification is an inherently risky pattern that can lead to unstable or insecure execution states.
Recommendations
- AI detected serious security threats
Audit Metadata