Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted PDF documents, creating a surface for indirect prompt injection where malicious instructions could be embedded in document text or metadata. Ingestion points: PDF files are ingested through pypdf, pdfplumber, and pdf2image in scripts/check_fillable_fields.py, scripts/extract_form_field_info.py, and scripts/convert_pdf_to_images.py. Boundary markers: No explicit delimiters or instructions are used to separate untrusted content from the agent's context. Capability inventory: The skill can execute local shell commands (qpdf, pdftotext) and perform file write operations. Sanitization: No sanitization or filtering is applied to the extracted text or form metadata before it is presented to the agent.
- [DYNAMIC_EXECUTION]: The script scripts/fill_fillable_fields.py performs a runtime monkeypatch on the pypdf library's DictionaryObject.get_inherited method. This technique involves dynamic modification of library logic during execution to correct handling for specific PDF selection list structures.
- [COMMAND_EXECUTION]: The instructions in SKILL.md and forms.md direct the agent to execute multiple local shell tools (qpdf, pdftotext, pdftk) and custom Python scripts within the skill's directory to perform document manipulation tasks.
Audit Metadata