The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to process untrusted external content (PDFs and their image conversions) and instructs the agent to analyze this content to make decisions about filling forms. This creates a significant vulnerability where instructions inside a PDF can hijack the agent's flow.
Ingestion points: Untrusted data enters via scripts/convert_pdf_to_images.py (processing PDFs into images) and scripts/extract_form_field_info.py (extracting form metadata).
Boundary markers: Absent. There are no delimiters or instructions provided to help the agent distinguish between PDF content and valid system instructions.
Capability inventory: The skill provides capabilities for file system modification (writing PDFs and JSON) and execution of local Python scripts.
Sanitization: Absent. There is no evidence of sanitization or filtering of the content extracted from the PDFs before it is presented to the agent.
Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py implements a runtime monkeypatch of the pypdf library (DictionaryObject.get_inherited). While used for a bug fix, this dynamic modification of library behavior is a characteristic pattern for altering execution flow in ways that can be difficult to audit.
External Downloads (LOW): The skill lists several third-party dependencies like pypdf, pdfplumber, and pytesseract. While these are from trusted registries and the skill is authored by a trusted organization (Anthropic), they represent an external code dependency. [TRUST-SCOPE-RULE applied].
Command Execution (LOW): The skill utilizes command-line utilities such as qpdf and pdftotext. While these are used for their intended purpose, providing an agent with tools to execute shell commands increases the risk if the agent is compromised via injection.

pdf