Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill's primary function involves ingesting and processing untrusted PDF documents. This creates a surface for indirect prompt injection, where malicious instructions hidden in a PDF (e.g., in text, tables, or metadata) could attempt to influence the agent's logic. (Files: SKILL.md, scripts/convert_pdf_to_images.py, scripts/extract_form_field_info.py)\n
- Ingestion points: Processes PDF pages via
pypdf,pdfplumber, andpdf2image.\n - Boundary markers: No explicit delimiters or safety instructions are used to separate untrusted document content from the agent's system instructions.\n
- Capability inventory: The skill allows file system writes and execution of PDF utilities.\n
- Sanitization: No sanitization of extracted text is performed before it is presented to the agent.\n- Command Execution (LOW): The skill documentation provides examples for the agent to execute various command-line tools like
pdftotext,qpdf, andpdftkfor document manipulation. (File: SKILL.md)\n- Dynamic Execution (LOW): The scriptscripts/fill_fillable_fields.pyperforms a runtime monkeypatch of thepypdflibrary to fix a known bug in selection list field handling in version 5.7.0. While this is a form of dynamic code modification, it is hardcoded, well-documented, and localized to a specific version workaround. (File: scripts/fill_fillable_fields.py)
Audit Metadata