section-writing-agent
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill maintains an indirect prompt injection surface by ingesting content from multiple technical source files (idea.md, experimental_log.md, outline.json) and interpolating them into a multimodal LLM prompt. This behavior is consistent with the skill's primary purpose of synthesizing research data, and the associated risk is low because the agent lacks network or system-level capabilities that could be abused through injection.
- Ingestion points: workspace/outline.json, workspace/inputs/idea.md, workspace/inputs/experimental_log.md, and workspace/inputs/conference_guidelines.md.
- Boundary markers: Absent; the instructions do not specify the use of delimiters or isolation tags for user-provided technical data.
- Capability inventory: The agent can write LaTeX files to the local workspace and execute internal Python scripts for validation. It has no access to the network or high-privilege system commands.
- Sanitization: Absent.
- [COMMAND_EXECUTION]: The skill invokes local Python scripts (extract_metrics.py, latex_sanity.py, orphan_cite_gate.py) to perform data parsing and LaTeX integrity checks. These scripts are benign, using only standard library modules to process local files without performing any dangerous operations or shell-based evaluations of untrusted input.
Audit Metadata