Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted PDF files which may contain malicious instructions designed to influence agent behavior.
- Ingestion points: pypdf.PdfReader and pdfplumber.open are used throughout SKILL.md and scripts to read external files.
- Boundary markers: No explicit delimiters or ignore instructions are used when interpolating PDF content into the agent context.
- Capability inventory: The skill can write files (writer.write, image.save), execute CLI tools (qpdf, pdftotext), and perform OCR.
- Sanitization: No sanitization of PDF text or metadata is performed before processing.
- [Dynamic Execution] (MEDIUM): scripts/fill_fillable_fields.py uses a monkeypatching technique to modify the pypdf library at runtime (DictionaryObject.get_inherited = patched_get_inherited) to circumvent a specific bug.
- [EXTERNAL_DOWNLOADS] (INFO): References standard libraries from public registries. This finding is downgraded to INFO because the author (Anthropic) is a trusted source.
Recommendations
- AI detected serious security threats
Audit Metadata