Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The instructions in
forms.mdutilize high-pressure language (e.g., "CRITICAL: You MUST complete these steps in order. Do not skip ahead...") to direct the agent's workflow. This approach mirrors techniques used in prompt injection to override an agent's standard operational constraints.\n- [PROMPT_INJECTION]: There is a conflict in the skill's metadata; while the author is listed aswulaosiji, theLICENSE.txtfile identifiesAnthropic, PBCas the copyright holder. Such inconsistencies in ownership claims are misleading and can impact the assessment of the skill's trustworthiness.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted PDF documents.\n - Ingestion points: Data is extracted from user-provided PDF files through libraries like
pypdf,pdfplumber, andpypdfium2in files such asSKILL.mdandscripts/extract_form_structure.py.\n - Boundary markers: The skill does not employ delimiters or specific instructions to help the agent distinguish between document content and operational commands.\n
- Capability inventory: The skill possesses capabilities for reading, writing, and modifying PDF files, which provides a significant attack surface if an attacker embeds malicious instructions in a processed document.\n
- Sanitization: Extracted text and metadata are used without validation or sanitization.\n- [COMMAND_EXECUTION]: The script
scripts/fill_fillable_fields.pyperforms runtime modification of thepypdflibrary using a monkey-patching technique on theDictionaryObject.get_inheritedmethod. This dynamically alters the expected behavior of an external dependency during the skill's operation.
Audit Metadata