The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted PDF data through text extraction and OCR (evidence in scripts/extract_form_field_info.py and scripts/convert_pdf_to_images.py). Since the skill includes capabilities to write and modify files (evidence in scripts/fill_fillable_fields.py and scripts/fill_pdf_form_with_annotations.py), a malicious PDF could contain instructions designed to influence the agent's behavior. There are no boundary markers or sanitization steps implemented to mitigate this risk.
COMMAND_EXECUTION (LOW): The documentation in SKILL.md suggests using command-line tools like qpdf and pdftk. If filenames are not properly handled by the agent, this could lead to shell injection vulnerabilities.
DYNAMIC_EXECUTION (MEDIUM): The script scripts/fill_fillable_fields.py implements a runtime monkeypatch of the pypdf library. While the intent is a bug fix, modifying library behavior at runtime (Category 10) is a risky practice that should be reviewed as it can lead to unexpected side effects or bypass security assumptions.

pdf