Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and recommends the installation of several well-known and reputable PDF processing libraries and command-line utilities (e.g., pypdf, pdfplumber, reportlab, qpdf, poppler-utils, pdf-lib). These are standard tools for the skill's primary functionality.
- [COMMAND_EXECUTION]: The skill provides instructions and automation scripts that execute external PDF manipulation tools via system shell commands, which is expected for this type of toolkit.
- [DATA_EXFILTRATION]: Documentation in forms.md contains hardcoded absolute directory paths from the author's local development environment (/Users/sargupta/...), which results in minor information leakage regarding internal system structures.
- [REMOTE_CODE_EXECUTION]: The script fill_fillable_fields.py employs a runtime monkeypatching technique to modify the pypdf library's internal logic. While this is documented as a workaround for a specific bug in selection list handling, dynamic code modification is a sensitive practice.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when processing untrusted PDF documents. Malicious instructions embedded in PDFs could attempt to manipulate agent behavior during text extraction or visual analysis steps.
- Ingestion points: PDF document content parsed by pypdf and pdfplumber.
- Boundary markers: None identified in the processing scripts.
- Capability inventory: File system read/write access and execution of various command-line utilities.
- Sanitization: No specific content validation or escaping is applied to extracted PDF data before it is used by the agent.
Audit Metadata