agent-research-aggregator
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple local Python scripts (discover_logs.py, extract_experiments.py, format_po_inputs.py) to automate the discovery and formatting of research data. These scripts are self-contained and use standard Python libraries.\n- [DATA_EXFILTRATION]: The skill scans sensitive local directories including AI agent caches (.claude, .cursor, etc.) and the user's home directory. While this poses a potential exposure risk if data is sent to an external LLM, the implementation includes a robust skip list for known credential files (e.g., .env, secrets.json, token.json), private keys (.pem, .key), and binary files. Additionally, the LLM extraction prompt explicitly commands the removal of all personal identifying information (PII) and credentials before any data synthesis occurs.\n- [PROMPT_INJECTION]: As the skill processes logs from external agents which may contain untrusted data, it is susceptible to indirect prompt injection. The skill implements several mitigation strategies:\n
- Ingestion points: discover_logs.py catalogs files from diverse cache directories and project roots.\n
- Boundary markers: The skill uses <raw_experiments> XML-style tags to delimit processed data during the synthesis phase.\n
- Capability inventory: The agent can execute local Python scripts and manage files within the specified workspace.\n
- Sanitization: The extraction-prompt.md contains strict instructions to filter out non-experimental data, credentials, and PII, reducing the impact of embedded malicious instructions.
Audit Metadata