Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill processes PDF files which are untrusted external data, creating a surface for potential indirect prompt injection attacks where text extracted from a document could influence agent behavior.\n
- Ingestion points: PDF content is ingested via
pypdf,pdfplumber, andpdftotext.\n - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat extracted text as untrusted.\n
- Capability inventory: The skill allows for local file system read/write operations and execution of processing tools like
qpdfandmagick.\n - Sanitization: There is no filtering of extracted text before it is processed by the agent.\n- [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pycontains a monkeypatch for thepypdflibrary to fix a known issue with dictionary attribute inheritance. This is a legitimate development technique to handle library bugs and does not involve executing external or untrusted code at runtime.\n- [REMOTE_CODE_EXECUTION]: The skill instructions and scripts execute several local system utilities, includingpdftotext,qpdf,pdftk, andmagick. These are standard tools for document and image processing and are used correctly within their intended functional scope.
Audit Metadata