Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly susceptible to indirect prompt injection through external PDF files.
- Ingestion points:
scripts/convert_pdf_to_images.pyandscripts/extract_form_field_info.pyingest untrusted PDF data into the agent's context (as images and JSON structures). - Boundary markers: Absent.
forms.mdinstructs the agent to 'Carefully examine each PNG image' and 'determine the purpose of each form field' without safety delimiters or instructions to ignore embedded commands. - Capability inventory: The agent has the capability to write files (
scripts/fill_fillable_fields.py), execute shell commands (SKILL.md), and perform complex reasoning based on the PDF content. - Sanitization: Absent. There is no filtering of text extracted via OCR or visual analysis before it influences agent logic.
- Command Execution (MEDIUM):
SKILL.mddocuments the use of system-level CLI tools likeqpdf,pdftk, andpoppler-utils. If the agent interpolates untrusted filenames or metadata into these shell commands without strict sanitization, it could lead to command injection. - Dynamic Execution (MEDIUM):
scripts/fill_fillable_fields.pyimplements a monkeypatch viamonkeypatch_pydpf_method(), which modifies the global behavior ofpypdf.generic.DictionaryObject.get_inheritedat runtime. While intended to fix a bug, runtime library modification is a risky pattern that can lead to unstable or insecure states. - Unverifiable Dependencies (LOW): The skill requires several external Python packages (
pypdf,pdfplumber,reportlab,pytesseract,pdf2image,Pillow) and system utilities. While these are common libraries, they represent a significant attack surface if vulnerabilities (like buffer overflows in PDF parsers) are exploited via malicious PDF files.
Recommendations
- AI detected serious security threats
Audit Metadata