Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted external data (PDF files). It provides the agent with significant capabilities including writing new files and executing shell commands (e.g.,
qpdf,pdftk). There are no boundary markers or sanitization procedures described to prevent malicious instructions embedded within a PDF (via text, metadata, or OCR'd content) from influencing the agent's logic or command usage. - Ingestion points: PDF files processed via
pypdf(inscripts/extract_form_field_info.py) andpdfplumber(inSKILL.md). - Boundary markers: None provided in the instructions or scripts.
- Capability inventory: File modification/creation (
pypdf,reportlab) and shell command execution (qpdf,pdftotext,pdftk). - Sanitization: None detected for extracted PDF content.
- [Dynamic Execution] (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary (DictionaryObject.get_inherited). While intended to resolve a library bug, dynamic modification of imported modules increases the risk of unexpected behavior or exploitation. - [Command Execution] (MEDIUM):
SKILL.mdexplicitly instructs the agent to use powerful command-line utilities likeqpdf(including decryption commands) andpdftk. This capability, when paired with the ingestion of untrusted PDFs, presents a high risk if the agent is tricked into running commands with malicious arguments derived from document content.
Recommendations
- AI detected serious security threats
Audit Metadata