Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted PDF data, creating a surface for indirect prompt injection attacks.
- Ingestion points: The skill uses
pypdf,pdfplumber, andpytesseractto extract text and structure from user-provided PDF files (found inscripts/extract_form_structure.pyand examples inSKILL.md). - Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions embedded within the extracted PDF text.
- Capability inventory: The skill provides the agent with capabilities to write files to the filesystem and execute various command-line utilities.
- Sanitization: Extracted text is passed into the agent's context without sanitization or filtering.
- [COMMAND_EXECUTION]: The skill instructions and documentation in
SKILL.mdandFORMS.mdrely on the execution of several CLI tools, includingpdftotext,qpdf,pdftk,pdfimages, andmagick. While these are standard tools, they represent an expanded attack surface if the agent is directed to use them on malicious inputs. - [DYNAMIC_EXECUTION]: The script
scripts/fill_fillable_fields.pycontains amonkeypatch_pydpf_methodfunction that dynamically overrides theget_inheritedmethod of thepypdf.generic.DictionaryObjectclass at runtime. This is done to ensure proper handling of PDF choice field options, but represents a dynamic code modification pattern.
Audit Metadata