reportlab
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (SAFE): The utility functions for creating invoices and documents ingest text data that is rendered into ReportLab Flowables. While the provided scripts do not explicitly sanitize input for ReportLab-supported XML tags (like , , or ), this is categorized as a best-practice violation for document generation rather than a malicious vulnerability. The documentation in the skill correctly notes the importance of escaping HTML when processing untrusted content.
- Ingestion points: Parameters in create_invoice (assets/invoice_template.py) and create_simple_document (scripts/quick_document.py).
- Boundary markers: Absent in the code logic; text is interpolated directly into Paragraph objects.
- Capability inventory: Local file writing (PDF generation) via ReportLab.
- Sanitization: Absent in script implementation, though documented as a requirement for handling untrusted data in references/text_and_fonts.md.
Audit Metadata