Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes PDF files from external sources, which introduces an indirect prompt injection surface. Maliciously crafted PDFs could contain text intended to influence the agent's behavior. However, the risk is significantly reduced by the structured workflow described in
forms.md, which requires the agent to convert pages to images and perform visual analysis. \n - Ingestion points: PDF text and structure are parsed by
pypdfandpdfplumberin scripts such asscripts/extract_form_structure.pyandscripts/extract_form_field_info.py. \n - Boundary markers: The skill relies on process-based boundary markers (visual verification steps) rather than technical delimiters in the prompt content. \n
- Capability inventory: The skill has the capability to write local files and execute external command-line tools. \n
- Sanitization: No programmatic sanitization is applied to extracted text, but the multi-step verification process encourages safe handling. \n- [COMMAND_EXECUTION]: The skill documentation and instructions facilitate the use of external command-line tools and involve runtime library modification for specific functionality. \n
- Evidence:
SKILL.mdandforms.mdinstruct the agent to utilize standard utilities likeqpdf,pdftotext,pdfimages, andImageMagick. These are standard tools for the intended task of PDF processing. \n - Evidence: The script
scripts/fill_fillable_fields.pyuses a monkeypatching technique to modify thepypdflibrary at runtime. The functionmonkeypatch_pydpf_methodoverridesDictionaryObject.get_inheritedto resolve field retrieval issues in certain forms. This is a local, static code modification for improved functionality and does not expose the system to arbitrary code execution from untrusted input.
Audit Metadata