Skills
NYC
skills/qodex-ai/ai-agent-skills/portable-document-handler/Gen Agent Trust Hub

portable-document-handler

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DYNAMIC_EXECUTION] (MEDIUM): The script scripts/fill_fillable_fields.py implements a monkeypatch_pydpf_method function that dynamically overrides the get_inherited method of the pypdf.generic.DictionaryObject class at runtime.
  • Evidence: Code in scripts/fill_fillable_fields.py replaces a library method to work around a specific list-joining bug.
  • Risk: While intended as a bug fix, dynamic modification of library behavior can lead to unstable state or be used to hide malicious logic by altering standard library calls.
  • [PROMPT_INJECTION] (LOW): The forms.md file contains forceful instructional markers designed to override agent decision-making.
  • Evidence: Phrases such as "CRITICAL: You MUST complete these steps in order. Do not skip ahead" and "Follow the below steps exactly."
  • Risk: High-pressure instructions can be used to force the agent to ignore safety guardrails or follow a rigid, potentially unsafe workflow.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to ingest and extract content from untrusted PDF files via pypdf, pdfplumber, and OCR (pytesseract).
  • Ingestion points: scripts/extract_form_field_info.py, scripts/check_fillable_fields.py, and scripts/convert_pdf_to_images.py all process user-provided PDF files.
  • Boundary markers: The prompt instructions do not specify any delimiters or safety warnings to treat the extracted PDF text as untrusted data.
  • Capability inventory: The skill can write to the local filesystem and execute system commands (qpdf, pdftotext, pdftk).
  • Sanitization: No sanitization or validation of the extracted PDF text/metadata is performed before it is presented to the agent context.
  • [COMMAND_EXECUTION] (SAFE): SKILL.md documents the use of external CLI tools like qpdf, pdftk, and pdftotext via subprocess calls.
  • Evidence: Command examples in SKILL.md for merging, splitting, and decrypting PDFs.
  • Risk: Standard for the tool's purpose, but requires careful handling of filename arguments to prevent command injection (though the provided scripts use Python libraries primarily).
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:00 PM