Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to process untrusted PDF documents to extract text, layout structure, and form metadata using scripts such as
extract_form_structure.pyandextract_form_field_info.py. This extracted content is then interpreted by the agent to determine how to fill forms or process data. - Ingestion points: Untrusted PDF content is ingested via
pypdf,pdfplumber, and OCR processes. - Boundary markers: Not used. The instructions in
forms.mdlack explicit delimiters or warnings for the agent to ignore instructions that might be embedded within the analyzed PDF text or metadata. - Capability inventory: The skill can read/write files and execute external command-line tools.
- Sanitization: No input validation or sanitization is performed on the text extracted from PDFs before it is presented to the agent.
- [COMMAND_EXECUTION]: Reliance on External Utilities. The skill instructions in
SKILL.mdandforms.mddirect the agent to use various command-line tools for PDF manipulation, includingpdftotext,qpdf,pdftk, and the ImageMagickmagickcommand. These operations involve executing subprocesses with parameters derived from external files. - [COMMAND_EXECUTION]: Runtime Library Monkeypatching. The script
scripts/fill_fillable_fields.pyperforms a monkeypatch on thepypdflibrary (DictionaryObject.get_inherited). While intended to resolve specific PDF field attribute handling issues, modifying the behavior of imported libraries at runtime is a complex and high-privilege programming pattern. - [PROMPT_INJECTION]: Metadata Provenance Inconsistency. The skill identifies the author as 'crazymsn', yet the
LICENSE.txtfile included with the skill claims copyright by 'Anthropic, PBC'. This discrepancy in ownership metadata can be misleading regarding the origin and safety verification of the skill's components.
Audit Metadata