Warn
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pyperforms runtime monkeypatching of thepypdflibrary. It replacesDictionaryObject.get_inheritedwith a custom implementation to handle specific field attribute types. While intended to fix library behavior, dynamic modification of library code at runtime is a risky pattern that can lead to unexpected behavior or be used to intercept data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via
pypdf,pdfplumber, andpdftotextwhen reading PDF content (as seen inSKILL.md,scripts/extract_form_structure.py, andscripts/extract_form_field_info.py). - Boundary markers: The instructions do not define boundary markers (e.g., XML tags or delimiters) to wrap extracted text or warn the agent to ignore instructions embedded in the documents.
- Capability inventory: The skill has high capabilities, including file system writes and shell command execution (
qpdf,pdftotext,pdftk,magick). - Sanitization: There is no evidence of sanitization or filtering of the extracted text before it is presented to the agent or used in file/command operations.
- [COMMAND_EXECUTION]: The skill frequently uses subprocess calls to execute external CLI tools like
qpdf,pdftotext, andmagick. While these are standard for PDF processing, they present a risk if the agent constructs command strings using unsanitized data extracted from untrusted PDF files.
Audit Metadata