research
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from multiple external sources (web search results, Reddit/discourse content, academic papers, and code repositories) and passes this data to subsequent agents and synthesis steps.\n
- Ingestion points: External data enters the context through
WebSearch,WebFetch, and the collected findings of parallel research agents.\n - Boundary markers: The instructions do not define clear delimiters or 'ignore instructions' warnings when passing external findings into the synthesis or next agent steps.\n
- Capability inventory: The skill has access to the
Bash,Write, andAgenttools, which could be misused if a malicious instruction from a research source is executed by the agent.\n - Sanitization: There is no evidence of sanitization, filtering, or validation of the external content before it is processed by the orchestrator.\n- [COMMAND_EXECUTION]: The skill requests and uses the
Bashtool to manage session state and potentially execute scripts within thetomepackage. While used for legitimate orchestration, this tool provide a broad capability that could be targeted if the agent's instructions are subverted.\n- [EXTERNAL_DOWNLOADS]: The skill usesWebSearchandWebFetchto retrieve information from the internet. While necessary for its research purpose, these tools are the entry points for untrusted data from various third-party domains.
Audit Metadata