skills/phuryn/skills/pdf/Gen Agent Trust Hub

pdf

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted PDF data, creating a surface for indirect prompt injection attacks.
  • Ingestion points: The skill uses pypdf, pdfplumber, and pytesseract to extract text and structure from user-provided PDF files (found in scripts/extract_form_structure.py and examples in SKILL.md).
  • Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions embedded within the extracted PDF text.
  • Capability inventory: The skill provides the agent with capabilities to write files to the filesystem and execute various command-line utilities.
  • Sanitization: Extracted text is passed into the agent's context without sanitization or filtering.
  • [COMMAND_EXECUTION]: The skill instructions and documentation in SKILL.md and FORMS.md rely on the execution of several CLI tools, including pdftotext, qpdf, pdftk, pdfimages, and magick. While these are standard tools, they represent an expanded attack surface if the agent is directed to use them on malicious inputs.
  • [DYNAMIC_EXECUTION]: The script scripts/fill_fillable_fields.py contains a monkeypatch_pydpf_method function that dynamically overrides the get_inherited method of the pypdf.generic.DictionaryObject class at runtime. This is done to ensure proper handling of PDF choice field options, but represents a dynamic code modification pattern.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 11:49 AM
Security Audit — agent-trust-hub — pdf