scientific-writing
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in 'SKILL.md' direct the agent to execute a shell command: 'uv run ~/.codex/skills/inno-figure-gen/scripts/generate_image.py'. This execution pattern involves running a script located in a different skill's directory on the local file system. This command also implies potential network activity as it requires an API key (e.g., 'GEMINI_API_KEY').
- [EXTERNAL_DOWNLOADS]: The skill workflow relies on fetching data from external sources, specifically 'trusted web sources' and an 'installed literature-search skill', which could result in the ingestion of unverified content.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to process and expand external literature and notes into prose. Malicious instructions embedded in these external sources could be executed by the agent during the transformation phase.
- Ingestion points: 'SKILL.md' (Section 7, Stage 1: 'Gather the relevant literature and data from verified local notes, trusted web sources, or an installed literature-search skill').
- Boundary markers: None identified; the skill does not instruct the agent to use delimiters or warnings for the ingested content.
- Capability inventory: The skill facilitates command execution (via 'uv run') and file system writes (saving figures to the 'figures/' directory).
- Sanitization: No sanitization, validation, or filtering mechanisms are described for the ingested external data.
Audit Metadata