Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). Untrusted data enters the agent context via text extraction in SKILL.md (pypdf, pdfplumber) and visual analysis instructions in forms.md using images generated by scripts/convert_pdf_to_images.py. There are no boundary markers or instructions to sanitize or ignore embedded commands. Given the skill's capabilities for file writing (PdfWriter.write) and agent-led shell execution, a malicious PDF could override the system prompt or cause unauthorized file operations. The skill also uses prescriptive language (e.g., 'CRITICAL', 'MUST', 'follow exactly') in forms.md which can be used to override default agent safety constraints.
- Command Execution (MEDIUM): SKILL.md provides explicit bash command examples (qpdf, pdftk, pdftotext) for the agent to execute. This creates an attack surface for command injection if the agent uses these tools with unsanitized parameters derived from PDF content or metadata.
- Dynamic Execution (MEDIUM): The scripts/fill_fillable_fields.py script performs runtime monkeypatching of the pypdf library (DictionaryObject.get_inherited). While intended as a workaround for a library bug, dynamic modification of library behavior at runtime is a significant security risk (Category 10).
Recommendations
- AI detected serious security threats
Audit Metadata