paperbanana
Pass
Audited by Gen Agent Trust Hub on Jul 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses multiple bash scripts (scripts/install.sh, scripts/run.sh, scripts/run-mcp.sh) to interface with the host system. These scripts wrap the paperbanana CLI tool, allowing the agent to execute shell-level commands for installation, figure generation, and running an MCP server.
- [EXTERNAL_DOWNLOADS]: The installation process in scripts/install.sh uses pip to download the paperbanana package from external repositories. The scripts/run-mcp.sh script utilizes uvx to dynamically fetch and execute the MCP server component. Furthermore, the paperbanana data download command fetches a verified 254 MB dataset (PaperBananaBench) to local cache (references/evaluation-and-venues.md).
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to ingest and process untrusted external files including PDF papers, methodology text, and CSV/JSON data. Evidence: 1. Ingestion points: The generate and plot commands in SKILL.md and references/modes-and-cli.md accept --input and --data flags for external files. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the scripts or markdown. 3. Capability inventory: The skill has access to shell execution (scripts/run.sh) and network/file tools (allowed-tools: Bash, Read, Write, WebFetch). 4. Sanitization: No sanitization or validation of input content is specified before the data is passed to the VLM-based planning agents.
Audit Metadata