Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it extracts and processes text content from user-provided PDF files via
scripts/extract_form_structure.pyandscripts/extract_form_field_info.py. - Ingestion points: Data enters the agent context through PDF text extraction in
SKILL.md,forms.md, and the scripts folder. - Boundary markers: No explicit boundary markers or 'ignore' instructions are used when interpolating PDF content into prompts.
- Capability inventory: The skill can execute subprocesses (
magick,qpdf,pdftotext), write files to the system, and perform network operations if certain libraries (likepytesseract) are configured to do so. - Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is presented to the AI agent.
- [COMMAND_EXECUTION]: The documentation in
forms.mdandSKILL.mdinstructs the agent to execute various CLI tools for PDF and image manipulation. - Evidence: Instructions include the use of
qpdf,pdftotext,pdftk, andmagick(ImageMagick) to process files. - [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pyperforms a runtime modification (monkeypatch) of a library method. - Evidence: The
monkeypatch_pydpf_methodfunction replacespypdf.generic.DictionaryObject.get_inheritedwith a custom implementation to handle specific field return types.
Audit Metadata