Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to ingest and process untrusted external data in the form of PDF files, which represents a significant attack surface.
- Ingestion points: Untrusted data enters the agent context through extracted PDF text, document metadata (author, title), and form field names/identifiers extracted in
scripts/extract_form_field_info.py. - Boundary markers: The skill lacks explicit boundary markers or instructions for the agent to disregard potential commands embedded within the PDF content or field names.
- Capability inventory: The skill possesses capabilities to write files (PDF, images, JSON), manipulate images, and utilize command-line utilities (e.g., qpdf, pdftotext).
- Sanitization: There is no evidence of sanitization or filtering of extracted text before it is used for automated decision-making or form-filling logic.
- Dynamic Execution (MEDIUM): The script
scripts/fill_fillable_fields.pyperforms runtime code modification of a third-party library. - Evidence: The function
monkeypatch_pydpf_method()redefinespypdf.generic.DictionaryObject.get_inheritedat runtime. While documented as a workaround for a specific library bug, runtime monkeypatching is a fragile pattern that could be abused or lead to unexpected code execution paths if the library's internal state is manipulated by untrusted inputs.
Audit Metadata