Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted PDF documents. It possesses extensive capabilities to write files, modify PDFs, and convert content to images. An attacker could potentially use a specially crafted PDF to exploit parsing vulnerabilities or mislead the agent into performing incorrect actions during the multi-step form-filling process.
- Ingestion points:
pypdf.PdfReader(multiple scripts),pdfplumber.open(SKILL.md),convert_from_path(scripts/convert_pdf_to_images.py). - Boundary markers: Absent. The instructions do not specify how to isolate untrusted content from the agent's instructions.
- Capability inventory: File writing (
PdfWriter), image saving (PIL), and command-line execution (qpdf,pdftk, etc.). - Sanitization: Limited to coordinate validation in
scripts/check_bounding_boxes.py; no content sanitization is present. - [Dynamic Execution] (MEDIUM):
scripts/fill_fillable_fields.pyperforms a runtime monkeypatch on thepypdflibrary. - Evidence:
monkeypatch_pydpf_method()replacespypdf.generic.DictionaryObject.get_inheritedwith a custom implementation to fix a bug in selection list handling. Runtime modification of dependencies increases the risk of unexpected behavior or conflict with other skills. - [Command Execution] (LOW):
SKILL.mdandforms.mdrecommend the use of several CLI tools (pdftotext,qpdf,pdftk) and provide the agent with commands to run Python scripts. While standard for this domain, these tools are executed on untrusted PDF inputs.
Recommendations
- AI detected serious security threats
Audit Metadata