The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8). 1. Ingestion: Untrusted data is ingested via pypdf, pdfplumber, and pdf2image (in scripts/convert_pdf_to_images.py). 2. Boundary markers: Absent; there are no instructions to ignore embedded commands within the PDF content. 3. Capability: The skill has extensive file-write and modification capabilities (scripts/fill_fillable_fields.py, scripts/fill_pdf_form_with_annotations.py). 4. Sanitization: Absent. The forms.md guide explicitly directs the agent to 'analyze' and 'examine' the PDF content to determine the purpose of fields, creating a direct vector where malicious text or visual elements in a PDF can influence the agent's logic.
COMMAND_EXECUTION (LOW): SKILL.md provides examples for the agent to use CLI tools like qpdf, pdftk, and pdftotext. While these are standard utilities, providing the agent with patterns for shell command execution on untrusted file paths introduces a surface for argument injection.
Dynamic Execution (MEDIUM): The scripts/fill_fillable_fields.py file performs a runtime monkeypatch of the pypdf library (DictionaryObject.get_inherited). While documented as a bug fix, runtime modification of third-party library behavior is a high-risk pattern that can be exploited or cause instability.
EXTERNAL_DOWNLOADS (INFO): The skill documentation references several external dependencies (pypdf, pdfplumber, reportlab, pandas, pytesseract, pdf2image). These are standard, well-known packages, and the skill source is a trusted organization, so this finding is downgraded to INFO per trust rules.

pdf