content-refinement-agent
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill routinely executes
latexmkto compile LaTeX source into PDF documents. LaTeX is a powerful typesetting system that can sometimes be configured to allow shell command execution via the\write18command. While the skill includes alatex_sanity.pygate, the execution of a compiler on untrusted document content is a known security surface. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted LaTeX source code (
paper.tex). Malicious instructions embedded within the paper's text or comments could potentially influence the agent's behavior during the refinement and review phases. - Ingestion points: The agent reads
workspace/drafts/paper.texand subsequent iterations in theworkspace/refinement/directory. - Boundary markers: The prompt in
references/prompt.mdattempts to use structured JSON output blocks to isolate data from commands. - Capability inventory: The skill possesses the ability to read and write files, execute shell commands (
latexmk), and run Python scripts. - Sanitization: The skill employs several deterministic gates in
references/safe-revision-rules.md, such as a grep for the word 'limitation' to prevent reward hacking and a numeric-claim check against an experimental log. - [COMMAND_EXECUTION]: The skill uses
python3 -cwithin bash blocks inSKILL.mdandreferences/halt-rules.mdto parse JSON output. This involves executing dynamic Python code that processes the contents of potentially untrusted JSON files generated during previous steps.
Audit Metadata