paper-audit
Pass
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill ingests and reviews untrusted content from academic papers, exposing the agent to potential indirect prompt injection (Category 8). \n
- Ingestion points: The skill reads .tex, .typ, and .pdf files through scripts/audit.py and scripts/prepare_review_workspace.py. \n
- Boundary markers: Content is segmented by section but lacks instructions to ignore malicious directives embedded in the paper text. \n
- Capability inventory: The skill can execute shell commands via subprocess.run (in scripts/audit.py), write files to a workspace, and perform network requests (in scripts/literature_search.py). \n
- Sanitization: Content is cleaned for parsing, but natural language instructions remain intact for processing by downstream agents. \n- [COMMAND_EXECUTION]: The skill executes internal Python scripts to perform deterministic checks. \n
- Evidence: scripts/audit.py uses subprocess.run to call modules like analyze_grammar.py and analyze_logic.py located within the skill or sibling directories. \n- [EXTERNAL_DOWNLOADS]: The skill fetches academic metadata from remote APIs for literature verification. \n
- Evidence: scripts/literature_search.py makes network requests to api.semanticscholar.org, export.arxiv.org, and api.tavily.com. \n
- Note: These are well-known academic services used specifically for the skill's literature grounding functionality.
Audit Metadata