Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection through its PDF ingestion features.
- Ingestion points: PDF text and metadata are extracted in
SKILL.md(usingpdfplumberandpypdf) andscripts/extract_form_field_info.py. - Boundary markers: None. Extracted text from external documents is not delimited or sanitized, allowing instructions within a PDF to potentially override agent behavior during the multi-step form-filling process described in
forms.md. - Capability inventory: The skill can write files, modify PDFs, and add annotations. A malicious PDF could provide 'values' for forms that are actually prompt injections designed to hijack the agent's next steps.
- Sanitization: None detected.
- Dynamic Execution (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms runtime code modification. - Evidence: The function
monkeypatch_pydpf_methodexplicitly replaces theget_inheritedmethod ofpypdf.generic.DictionaryObjectat runtime. While intended to fix a library bug, runtime monkeypatching increases the complexity of the execution environment and can introduce instability or be leveraged in multi-stage exploits. - Command Execution (LOW):
SKILL.mdprovides examples for using command-line utilities likeqpdf,pdftk, andpdftotext. While these are standard tools, the agent may execute these with arguments derived from untrusted PDF content.
Recommendations
- AI detected serious security threats
Audit Metadata