Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content from untrusted PDF documents.
- Ingestion points: Data enters through scripts like
scripts/extract_form_field_info.pyandscripts/fill_fillable_fields.pyusingpypdf, and through extraction examples in documentation. - Boundary markers: No explicit delimiters or guardrail instructions are used to distinguish untrusted PDF content from agent instructions.
- Capability inventory: The agent can execute local Python scripts via subprocess and perform file system operations to read and write document data.
- Sanitization: No sanitization or validation of extracted text is implemented before the agent interprets the data.
- [COMMAND_EXECUTION]: The skill's operational logic in
forms.mddirects the agent to execute shell commands to run internal Python scripts for file conversion, field extraction, and PDF filling. - [SAFE]: The skill relies on well-known and reputable PDF libraries such as
pypdf,pdfplumber, andreportlab. The monkeypatch inscripts/fill_fillable_fields.pyis a static bug fix for a specific library issue and does not represent a malicious dynamic execution vector.
Audit Metadata