Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to extract text and analyze images from PDF documents, which are untrusted external data sources. Malicious PDFs could contain embedded instructions intended to override the agent's behavior (indirect prompt injection).
- Ingestion points: Text extraction via
pypdfandpdfplumberinSKILL.md, and visual analysis of PNG images generated from PDFs informs.md. - Boundary markers: None identified; extracted text is provided to the agent without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill allows for file writing (
PdfWriter), file system operations, and shell command execution via the agent. - Sanitization: There is no evidence of filtering or sanitization of extracted PDF content before it enters the agent's context.
- [DYNAMIC_EXECUTION]: The file
scripts/fill_fillable_fields.pyimplements a runtime monkeypatch of thepypdflibrary'sDictionaryObject.get_inheritedmethod. This technique modifies the internal logic of an imported dependency during execution to workaround a library-specific bug. - [COMMAND_EXECUTION]: The skill's operational flow relies on the agent executing various local Python scripts (
scripts/extract_form_field_info.py,scripts/fill_fillable_fields.py, etc.) and system utilities (qpdf,pdftotext,pdftk) to perform document transformations.
Audit Metadata