Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to indirect prompt injection from processing untrusted PDF documents.\n
- Ingestion points: Data is extracted via
scripts/extract_form_field_info.py,scripts/convert_pdf_to_images.py, and various examples inSKILL.mdusingpypdfandpdfplumber.\n - Boundary markers: No delimiters or instructions are provided to the agent to treat extracted content as untrusted.\n
- Capability inventory: The skill possesses file write capabilities (
pypdf,reportlab,Pillow) and encourages the execution of shell commands (qpdf,pdftk).\n - Sanitization: No sanitization or validation of extracted text is performed before it is used in downstream tasks.\n- EXTERNAL_DOWNLOADS (MEDIUM): The documentation recommends the installation of several third-party Python libraries and system utilities from public repositories.\n- DYNAMIC_EXECUTION (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms a runtime monkeypatch of thepypdf.generic.DictionaryObject.get_inheritedmethod, which is a form of dynamic code modification that can lead to unexpected security side effects.\n- COMMAND_EXECUTION (LOW): The skill guides the agent to use command-line tools for PDF processing, which could be exploited if inputs like filenames or parameters derived from PDFs are not properly sanitized.
Recommendations
- AI detected serious security threats
Audit Metadata