The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's primary function involves processing untrusted external data (PDF files) which serves as a major attack surface.
Ingestion points: PDF content and form field metadata are ingested via pypdf in extract_form_field_info.py and pdfplumber in SKILL.md examples.
Boundary markers: Absent. The instructions in forms.md do not require the agent to use delimiters or ignore instructions found within the PDF text.
Capability inventory: The skill allows for significant side effects, including writing new PDF files (PdfWriter.write), generating images (Image.save), and executing various shell commands (qpdf, pdftotext, pdftk) as documented in SKILL.md.
Sanitization: None. Text and metadata extracted directly from the PDF are used to build JSON structures (fields.json) that subsequent scripts and the agent rely on for decision-making.
Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py performs runtime monkeypatching of the pypdf library.
Evidence: It overrides pypdf.generic.DictionaryObject.get_inherited with a custom implementation to bypass a specific library bug. Modifying third-party library behavior at runtime is a risky practice that can lead to unexpected security states or stability issues.
Command Execution (LOW): The skill workflow depends on the agent executing multiple local Python scripts and system utilities.
Evidence: SKILL.md and forms.md provide explicit instructions for the agent to run convert_pdf_to_images.py, extract_form_field_info.py, and fill_fillable_fields.py. While necessary for functionality, these scripts operate on data derived from untrusted PDF inputs.

pdf