Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from PDF files.\n
- Ingestion points: PDF content and form field metadata are read in
scripts/extract_form_field_info.py,scripts/convert_pdf_to_images.py, and various code snippets inSKILL.mdandreference.md.\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are implemented when extracting or processing PDF text.\n
- Capability inventory: The skill includes scripts for file-writing (
fill_fillable_fields.py,fill_pdf_form_with_annotations.py) and suggests executing multiple command-line utilities.\n - Sanitization: No sanitization or validation of content extracted from PDFs is performed before it is used by the agent.\n- [COMMAND_EXECUTION]: The skill's operation relies on the execution of local scripts and system-level binaries.\n
- Script execution: The instructions in
forms.mddirect the agent to run several local Python scripts to process PDFs.\n - External tools: Recommends using command-line tools such as
qpdf,pdftotext,pdftk, andpdftoppm.\n - Dynamic behavior:
scripts/fill_fillable_fields.pyuses a runtime monkeypatch to modify thepypdflibrary's internal methodget_inheritedto resolve a bug.\n- [EXTERNAL_DOWNLOADS]: The documentation suggests installing multiple third-party libraries from well-known sources.\n - Python packages: Recommends
pypdf,pdfplumber,reportlab,pytesseract,pdf2image,pandas, andpypdfium2.\n - Node.js packages: References
pdf-libandpdfjs-distin the advanced guide.
Audit Metadata