Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/fill_fillable_fields.pyimplements a monkeypatching technique to modify thepypdflibrary at runtime. Specifically, it redefines theDictionaryObject.get_inheritedmethod to work around a bug in the library's handling of selection list fields. Runtime code alteration is a form of dynamic execution. - [COMMAND_EXECUTION]: The skill provides instructions and examples for executing various system-level command-line utilities, including
pdftotext,qpdf,pdftk, andpdftoppm. These tools interact with the host system to perform PDF conversions and manipulations. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because its primary function involves processing data from untrusted PDF files.
- Ingestion points: PDF content is read and parsed using
pypdfandpdfplumberacross multiple scripts and documentation files. - Boundary markers: The instructions do not define security delimiters or include warnings for the agent to ignore potentially malicious commands embedded within extracted PDF text.
- Capability inventory: The skill has significant capabilities, including the ability to write files to the local filesystem and execute shell commands.
- Sanitization: There is no evidence of sanitization or validation of content extracted from PDFs before it enters the agent's context.
- [PROMPT_INJECTION]: There is a potential metadata inconsistency regarding the skill's origin. The skill is attributed to the author
isomoes, but theLICENSE.txtfile contains a copyright notice forAnthropic, PBCwith highly restrictive proprietary terms. This discrepancy in provenance and licensing information can be misleading regarding the ownership and safety of the code.
Audit Metadata