bib-search-citation
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests content from external bibliography files (e.g., titles, abstracts, and annotations) and presents it to the agent for review. An attacker could embed malicious instructions within these fields to influence the agent's behavior. \n
- Ingestion points: The
scripts/search_bib.pyscript reads the content of user-provided.bibfiles, specifically targeting text fields likeabstractandannotation. \n - Boundary markers: There are no explicit instructions or code-level delimiters used to wrap the bibliographic content to prevent the agent from interpreting embedded text as instructions. \n
- Capability inventory: The agent environment includes
BashandReadtools, which could be targets for exploitation if the agent is misled by malicious data. \n - Sanitization: The script performs text normalization for search purposes but does not filter or sanitize the content for natural language instructions before displaying results to the agent. \n- [COMMAND_EXECUTION]: The test suite (
tests/test_bib_search.py) usessubprocess.runto execute the search and preview scripts. \n - Evidence: The
run_python_scriptfunction executes the Python interpreter with script paths and arguments. This is a standard and safe practice for unit testing and does not utilizeshell=Truefor arbitrary command execution.
Audit Metadata