Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses highly imperative and restrictive language in
forms.md(e.g., "CRITICAL: You MUST complete these steps in order. Do not skip ahead") which attempts to rigidly override the agent's autonomous decision-making process.- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process text from external PDF files, creating a vulnerability surface for indirect prompt injection. - Ingestion points:
scripts/extract_form_structure.py,scripts/extract_form_field_info.py, and extraction logic inSKILL.mdviapdfplumberandpypdf. - Boundary markers: None. The skill does not provide the agent with delimiters or instructions to ignore potential commands embedded in the processed PDF text.
- Capability inventory: The skill allows file reading, file writing, image generation, and the execution of local shell commands for PDF processing.
- Sanitization: Extracted content is presented to the agent without validation or filtering for adversarial prompt instructions.- [DYNAMIC_EXECUTION]:
scripts/fill_fillable_fields.pyimplements a runtime monkeypatch of thepypdf.generic.DictionaryObject.get_inheritedmethod. This dynamically modifies the library's behavior at execution time to handle specific form field attribute formats.- [METADATA_POISONING]: There is a discrepancy between the skill author context ('teamily-ai') and the copyright notice inLICENSE.txt('Anthropic, PBC'), which could lead to confusion regarding the source and support for the skill components.
Audit Metadata