Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The
references/forms.mdfile contains strong procedural instructions (e.g., 'CRITICAL: You MUST complete these steps in order. Do not skip ahead to writing code.') designed to enforce a specific validation workflow for form filling. - [DYNAMIC_EXECUTION]: The
scripts/fill_fillable_fields.pyscript implements a runtime monkeypatch of thepypdflibrary (DictionaryObject.get_inherited) to resolve a known bug when handling PDF selection list fields. This modification occurs during script execution to ensure correct data processing. - [COMMAND_EXECUTION]: The skill documentation (
SKILL.mdandreferences/reference.md) provides numerous examples and instructions for the agent to execute shell-based PDF utilities includingqpdf,pdftotext,pdftk, andpdfimages. - [INDIRECT_PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it processes untrusted PDF data.
- Ingestion points: PDF content is ingested and parsed via
pypdf,pdfplumber, andpytesseract(OCR) in various scripts such asscripts/extract_form_field_info.pyandscripts/convert_pdf_to_images.py. - Boundary markers: There are no explicit instructions or delimiters provided to the agent to treat extracted PDF text as untrusted or to ignore instructions contained within the document.
- Capability inventory: The skill possesses the ability to write files to the local system and execute a variety of command-line tools and Python scripts.
- Sanitization: No sanitization, filtering, or validation is performed on the text extracted from PDF files before it is made available to the agent.
Audit Metadata