Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill invokes several local Python scripts (e.g.,
check_fillable_fields.py,convert_pdf_to_images.py) using the system shell and specific environment variables likePYTHONPATH=gateway/tools. This is a standard functional pattern but assumes the local tools directory is secure and not writable by the agent itself. - PROMPT_INJECTION (MEDIUM): This skill exhibits a significant Indirect Prompt Injection (Category 8) attack surface because its core function is to ingest and act upon untrusted PDF data.
- Ingestion points: Untrusted data enters the agent's context through file paths like
input.pdfprocessed by tools such aspdfplumberandpypdfin 'Phase 2-A'. - Boundary markers: The skill does not define clear delimiters or instruction-isolation markers (e.g., XML tags or headers) to prevent the agent from mistaking text inside a PDF for system-level instructions.
- Capability inventory: The agent has the capability to write files, execute subprocesses, and delegate tasks to subagents based on the content parsed from these PDFs.
- Sanitization: There is no evidence of sanitization or filtering logic to strip potential malicious instructions from the extracted PDF text before it is used to influence the workflow.
Audit Metadata