Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes untrusted PDF files, which could contain malicious instructions designed to influence the agent's behavior during analysis.
- Ingestion points:
scripts/extract_form_field_info.py,scripts/convert_pdf_to_images.py, andscripts/fill_pdf_form_with_annotations.py. - Boundary markers: None. There are no delimiters or warnings used when the agent reads content extracted from the PDFs.
- Capability inventory: File system access for reading and writing PDF, JSON, and image files; PDF structure and metadata modification.
- Sanitization: None. The skill extracts raw data for processing without validation against potential injection patterns.
- Unverifiable Dependencies & Remote Code Execution (LOW): The skill documentation suggests installing several external Python packages (
pypdf,pdfplumber,reportlab,pandas,pytesseract,pdf2image,Pillow). These are well-known, industry-standard libraries. Given the trusted source (Anthropic), this is considered low risk per the trust scope rules. - Dynamic Execution (LOW): The script
scripts/fill_fillable_fields.pyperforms a runtime monkeypatch of thepypdflibrary to fix a specific bug in form field handling. This is a static, local code modification and does not execute untrusted external strings.
Audit Metadata