Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted PDF files. Maliciously crafted documents could contain instructions designed to influence the agent's behavior during visual analysis or data extraction.
- Ingestion points: PDF files are ingested through several scripts including scripts/convert_pdf_to_images.py, scripts/extract_form_field_info.py, and scripts/check_fillable_fields.py.
- Boundary markers: The skill does not implement explicit boundary markers or instructions to the agent to ignore commands found within the PDF content.
- Capability inventory: The skill has the capability to read and write files using pypdf and Pillow, and its documentation suggests the use of various command-line utilities.
- Sanitization: The scripts/fill_fillable_fields.py script performs validation of input values against the extracted PDF field metadata (type and valid options) before writing.
- [COMMAND_EXECUTION]: The documentation guides the agent to use several external command-line tools for document manipulation.
- Evidence: SKILL.md and reference.md provide examples for using pdftotext, qpdf, pdftk, and pdftoppm. While these are standard tools, they represent an execution capability that requires careful handling of arguments.
- [REMOTE_CODE_EXECUTION]: The skill uses dynamic execution techniques to modify library behavior at runtime.
- Evidence: scripts/fill_fillable_fields.py includes a function monkeypatch_pydpf_method which replaces pypdf.generic.DictionaryObject.get_inherited with a patched version to fix a known bug in selection list handling. Although documented as a bug fix, runtime modification of third-party libraries is a dynamic execution pattern.
Audit Metadata