Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to process untrusted PDF documents from external sources.
- Ingestion Points: Data enters the agent context through
PdfReaderinextract_form_field_info.py,convert_from_pathinconvert_pdf_to_images.py, andpdfplumber.openinSKILL.md. - Boundary Markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate instructions found within the processed PDF content.
- Capability Inventory: The skill enables file writing via
pypdfandPIL, and explicitly instructs the agent to execute shell commands (qpdf,pdftotext, and the provided Python scripts) inSKILL.mdandFORMS.md. - Sanitization: No sanitization or validation of extracted text or metadata is performed before the agent is asked to analyze it.
- External Dependencies (LOW): The skill requires several external Python packages (
pypdf,pdfplumber,reportlab,pandas,pytesseract,pdf2image) and system utilities (poppler-utils,qpdf). While these are standard tools, they represent an expanded attack surface for binary exploits when parsing complex PDF structures. - Dynamic Code Modification (LOW): The script
scripts/fill_fillable_fields.pycontains a runtime monkeypatch of thepypdflibrary (DictionaryObject.get_inherited). Although used here for a benign bug fix regarding selection lists, runtime modification of libraries is a technique often used in obfuscation or exploit scenarios. - Command Execution (LOW): The skill documentation (
SKILL.md) and workflows (FORMS.md) rely on the agent having the ability to execute shell commands to run utility scripts and CLI tools. This is a functional requirement but increases the impact of any successful prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata