content-refinement-agent

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill routinely executes latexmk to compile LaTeX source into PDF documents. LaTeX is a powerful typesetting system that can sometimes be configured to allow shell command execution via the \write18 command. While the skill includes a latex_sanity.py gate, the execution of a compiler on untrusted document content is a known security surface.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted LaTeX source code (paper.tex). Malicious instructions embedded within the paper's text or comments could potentially influence the agent's behavior during the refinement and review phases.
  • Ingestion points: The agent reads workspace/drafts/paper.tex and subsequent iterations in the workspace/refinement/ directory.
  • Boundary markers: The prompt in references/prompt.md attempts to use structured JSON output blocks to isolate data from commands.
  • Capability inventory: The skill possesses the ability to read and write files, execute shell commands (latexmk), and run Python scripts.
  • Sanitization: The skill employs several deterministic gates in references/safe-revision-rules.md, such as a grep for the word 'limitation' to prevent reward hacking and a numeric-claim check against an experimental log.
  • [COMMAND_EXECUTION]: The skill uses python3 -c within bash blocks in SKILL.md and references/halt-rules.md to parse JSON output. This involves executing dynamic Python code that processes the contents of potentially untrusted JSON files generated during previous steps.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 04:53 AM
Security Audit — agent-trust-hub — content-refinement-agent