Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly susceptible to indirect prompt injection as its core function is to ingest and analyze untrusted external PDF files.
- Ingestion points: Data enters the agent context via
SKILL.md(usingpypdf,pdfplumber),scripts/extract_form_field_info.py, andscripts/convert_pdf_to_images.py. - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the processed PDF content.
- Capability inventory: The skill allows for local file creation (
scripts/create_validation_image.py,scripts/fill_fillable_fields.py), OCR viapytesseract, and encourages the use of powerful CLI tools likeqpdfandpdftkthrough subprocess calls. - Sanitization: Absent. Content is parsed and interpreted directly from the PDF structure.
- [Dynamic Execution] (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms a runtime monkeypatch of thepypdflibrary. - Evidence: The function
monkeypatch_pydpf_methodreassignspypdf.generic.DictionaryObject.get_inheritedto a local wrapper function at runtime. This practice can be used to hide malicious logic or lead to unstable behavior by modifying third-party library internals. - [Command Execution] (MEDIUM):
SKILL.mdprovides explicit instructions for the agent to execute shell commands usingqpdf,pdftotext,pdftk, andpdfimages. While these are legitimate tools, the potential for command injection exists if the agent interpolates unsanitized filenames or parameters into these shell strings.
Recommendations
- AI detected serious security threats
Audit Metadata