search-lit
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The fallback utility script
references/pubmed_eutils.shconstructs a Python command using shell interpolation of the${query}and${title}variables. This pattern is vulnerable to command injection if the input contains single quotes, which could allow the execution of arbitrary Python code within the agent's shell environment. Remediation: Pass variables as arguments to Python rather than interpolating them directly into the command string. - [EXTERNAL_DOWNLOADS]: The skill fetches scholarly metadata and preprints from well-known services including NCBI E-utilities (
eutils.ncbi.nlm.nih.gov), CrossRef (api.crossref.org), Unpaywall (api.unpaywall.org), and OpenAlex (api.openalex.org). - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection due to the processing of large volumes of external scholarly data. \n
- Ingestion points: Data enters the context via PubMed, Semantic Scholar, and preprint server APIs through both MCP tools and the
pubmed_eutils.shscript. \n - Boundary markers: While the skill documentation emphasizes verification protocols, it does not specify technical delimiters or 'ignore' instructions for the literature content itself. \n
- Capability inventory: The skill has access to
Bash,Write, andEdittools, which could be exploited if malicious instructions embedded in a paper's abstract are executed. \n - Sanitization: The scripts use standard JSON and XML parsers but do not sanitize text fields to detect or strip instructions hidden within scholarly abstracts.
Audit Metadata