Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to indirect prompt injection because it processes untrusted PDF data which can contain hidden instructions that hijack the agent's reasoning or actions. \n * Ingestion points:
scripts/extract_form_field_info.py,scripts/check_fillable_fields.py, andscripts/convert_pdf_to_images.pyingest and process external PDF files. \n * Boundary markers: Absent. There are no delimiters or explicit instructions provided to the agent to treat PDF content as untrusted data. \n * Capability inventory: The skill allows writing and modifying files viascripts/fill_fillable_fields.pyandscripts/fill_pdf_form_with_annotations.py. \n * Sanitization: Absent. No filtering or sanitization is performed on text or metadata extracted from the documents. \n- REMOTE_CODE_EXECUTION (MEDIUM): The scriptscripts/fill_fillable_fields.pyperforms dynamic monkeypatching (monkeypatch_pydpf_method) by overriding methods in thepypdflibrary at runtime. While used for a bug fix, dynamic modification of library logic is a risky pattern categorized under dynamic execution. \n- COMMAND_EXECUTION (LOW):SKILL.mddocuments several CLI utilities (pdftotext,qpdf,pdftk) and provides examples of their use in shell environments, representing a potential but managed command execution surface.
Recommendations
- AI detected serious security threats
Audit Metadata