Fail
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructs the agent to read a sensitive configuration file located at
~/.claude/PAI/SKILL.mdbefore starting any task. This file is documented to contain private information including a contact list, personal preferences, and security rules. - [PROMPT_INJECTION]: The instruction to load external context from
~/.claude/PAI/SKILL.mdattempts to configure the agent's behavior and security rules via an external file, which could be used to override default system instructions. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill extracts text and tables from user-provided PDF files and processes them without sanitization or boundary markers.
- Ingestion points: PDF files are read and processed for text and image data in
SKILL.md,forms.md, and through scripts likeextract_form_field_info.py. - Boundary markers: Absent. The skill provides no instructions to the agent to ignore or delimit potentially malicious instructions embedded in the processed PDF content.
- Capability inventory: The skill can create and write files, manipulate PDF structure, and execute CLI tools via subprocesses in several scripts (e.g.,
Scripts/fill_fillable_fields.py). - Sanitization: Absent. Data extracted from untrusted PDF files is interpolated directly into the agent's context.
- [COMMAND_EXECUTION]: The script
Scripts/fill_fillable_fields.pyperforms a runtime monkeypatch of thepypdf.generic.DictionaryObject.get_inheritedmethod. This dynamic modification of library behavior at runtime introduces risks to execution integrity. Additionally, the skill frequently executes external CLI tools such asqpdfandpdftotextto process files.
Recommendations
- AI detected serious security threats
Audit Metadata