Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill processes untrusted external PDF documents. A malicious PDF could contain embedded instructions designed to influence the agent's behavior during extraction or form-filling operations. * Ingestion points: PDF files are read using pypdf and pdfplumber in all script files. * Boundary markers: Missing; the skill relies on the agent to interpret the visual structure of the document. * Capability inventory: Scripts can write files (image.save, writer.write) and are instructed to execute shell commands like qpdf and pdftk. * Sanitization: forms.md includes a validation script (check_bounding_boxes.py) to help the agent verify its own field placement logic.
- Dynamic Execution (MEDIUM): The file scripts/fill_fillable_fields.py performs a runtime monkeypatch on the pypdf library. * Evidence: The function monkeypatch_pydpf_method() redefines DictionaryObject.get_inherited at runtime to correct a type mismatch bug in selection list handling. While the logic appears benign and functional, runtime modification of libraries is a sensitive operation.
- Command Execution (LOW): The SKILL.md documentation encourages the agent to use system utilities such as qpdf, pdftotext, and pdftk. While appropriate for the task, executing CLI tools on untrusted external data is a known attack surface.
Audit Metadata