Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and process untrusted PDF documents through various extraction tools. This creates a significant attack surface where malicious instructions embedded in PDFs (text or metadata) can influence the agent's behavior.
- Ingestion points: The skill utilizes
pypdf,pdfplumber, andpytesseract(OCR) to extract content from external PDF files provided at runtime. - Boundary markers: No boundary markers or 'ignore embedded instructions' prompts are implemented to differentiate between the PDF's data and the agent's instructions.
- Capability inventory: The skill possesses extensive capabilities, including file system writes (creating new PDFs and images), and the execution of complex shell commands via
qpdf,pdftk, andpdftotext. - Sanitization: There is no evidence of sanitization or filtering for extracted text before it is returned to the agent context.
- Dynamic Execution (MEDIUM): The script
scripts/fill_fillable_fields.pyimplements a runtime monkeypatch of thepypdflibrary. - Evidence: The function
monkeypatch_pydpf_methodredefinesDictionaryObject.get_inheritedat runtime. While the intent is to fix a bug in the upstream library, runtime class modification is a dangerous pattern that can lead to instability or be leveraged in more complex exploit chains. - Command Execution (LOW): The skill relies heavily on calling external binaries (
qpdf,pdftk,pdftotext). While used for their intended purpose, the construction of these commands often involves interpolating file paths or user-provided arguments, which requires careful handling to prevent shell injection.
Recommendations
- AI detected serious security threats
Audit Metadata