The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection. Ingestion points include text/table extraction using pdfplumber and pypdf, as well as visual analysis of images generated from PDF pages. There are no boundary markers or sanitization steps mentioned, and the agent is explicitly instructed to 'determine the purpose' of extracted content. The agent's capabilities include writing files and executing arbitrary commands, making successful injection very impactful.
COMMAND_EXECUTION (MEDIUM): The skill encourages the use of CLI tools like qpdf, pdftotext, and pdftk. If an agent uses data extracted from a malicious PDF (such as a title or metadata) to construct these commands, it could lead to command injection.
CREDENTIALS_UNSAFE (MEDIUM): Documentation in SKILL.md provides examples where passwords are passed as cleartext command-line arguments (e.g., qpdf --password=mypassword), which is a significant security risk for credential exposure in process lists or shell history.
EXTERNAL_DOWNLOADS (LOW): The skill relies on multiple Python packages including pypdf, pdfplumber, reportlab, pytesseract, pdf2image, pandas, and Pillow. None of these dependencies are version-pinned, which can lead to supply chain risks or inconsistent behavior.
Dynamic Execution (MEDIUM): The script scripts/fill_fillable_fields.py performs a runtime monkeypatch of the pypdf library's DictionaryObject.get_inherited method. While intended to fix a specific bug, runtime modification of third-party libraries is a risky practice that can lead to unexpected side effects or be exploited if the patch logic is flawed.

pdf