Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's workflow for handling non-fillable forms (defined in forms.md) involves converting untrusted PDFs into images for visual analysis by the agent. This is a high-risk ingestion point for malicious instructions. * Ingestion points: scripts/convert_pdf_to_images.py and OCR logic described in SKILL.md. * Boundary markers: Absent; there are no instructions to distinguish between form content and potential malicious commands. * Capability inventory: File system writes (PdfWriter.write), system command execution, and agent-driven decision making. * Sanitization: Absent; the agent is directly prompted to interpret untrusted visual data.
- [Dynamic Execution] (MEDIUM): The script scripts/fill_fillable_fields.py performs a runtime monkeypatch of the pypdf library. Modifying executable code at runtime is a dangerous pattern that can lead to unexpected behavior or exploitation.
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The skill references several third-party libraries (pytesseract, pdf2image, pdf-lib) and command-line tools (qpdf, pdftk). While these are from reputable sources, they represent external dependencies that the skill relies on for operation.
- [Command Execution] (MEDIUM): SKILL.md contains multiple examples of shell commands for PDF manipulation. If the agent executes these with input derived from untrusted PDF metadata or content, it could be vulnerable to command injection.
Recommendations
- AI detected serious security threats
Audit Metadata