Pass
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: LOWPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process untrusted PDF documents, which serves as a potential surface for indirect prompt injection. \n
- Ingestion points:
scripts/extract_form_field_info.py,scripts/check_fillable_fields.py, andSKILL.md(via extraction examples). \n - Boundary markers: The skill relies on procedural boundaries described in
forms.md(manual 'Visual Analysis' steps) rather than automated sanitization. \n - Capability inventory: Local file creation and PDF annotation via
pypdfandPIL; documentation references CLI utilities (qpdf,pdftk). No network capabilities were found. \n - Sanitization: Relies on standard parsing via
pypdfandpdfplumberwithout additional sanitization of extracted text content. \n- [Dynamic Execution] (LOW): The scriptscripts/fill_fillable_fields.pyperforms a runtime monkeypatch on thepypdflibrary to address a specific bug in selection list handling. This is a localized and documented modification of library behavior. \n- [Command Execution] (LOW): Documentation and code withinSKILL.mdand the toolkit reference the use of standard external command-line utilities such asqpdf,pdftk, andpoppler-utils. These are standard tools for this domain but involve subprocess spawning with local file paths.
Audit Metadata