Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted PDF files to extract text and metadata.
- Ingestion points:
scripts/extract_form_field_info.pyandscripts/fill_fillable_fields.pyviapypdf. - Boundary markers: Absent in
forms.mdinstructions. - Capability inventory: File-write operations in
scripts/fill_fillable_fields.pyandscripts/fill_pdf_form_with_annotations.py; subprocess execution suggested inSKILL.mdfor tools likeqpdfandpdftk. - Sanitization: Absent. This creates a surface where malicious instructions embedded in a PDF could influence the agent's behavior during analysis.
- [Dynamic Execution] (MEDIUM):
scripts/fill_fillable_fields.pyimplements runtime monkeypatching of thepypdflibrary to modify internal behavior. - [Command Execution] (LOW): Documentation encourages use of system-level CLI tools for PDF operations.
- [External Downloads] (LOW): Depends on multiple external Python packages. Trusted source status (Anthropic) for the skill itself applies to the distribution, but the dependency chain remains an observation.
Recommendations
- AI detected serious security threats
Audit Metadata