Skills
skills/boshu2/agentops/research/Gen Agent Trust Hub

research

Warn

Audited by Gen Agent Trust Hub on May 24, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md provide shell command templates that interpolate the user-supplied <topic> variable directly into command strings for ao and grep (e.g., ao lookup --query "<topic>"). This pattern is vulnerable to command injection if the topic contains shell metacharacters, allowing for the execution of arbitrary shell commands if the agent follows the template literally with unsanitized input.
  • [DATA_EXFILTRATION]: The workflow includes commands to search for the research topic within ~/.claude/patterns/. This allows the agent to read configuration and patterns from the user's home directory, which are outside the intended scope of the project codebase and may contain sensitive data.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates the spawning of autonomous sub-agents using various backends (Codex, Claude Native Teams, Background Tasks). These sub-agents are given prompts derived from research content, creating a surface for code execution across the local filesystem and network based on untrusted data.
  • [PROMPT_INJECTION]: As the skill processes untrusted data from codebase files and external web searches (via MCP tools like Firecrawl or Exa) to generate summaries and sub-agent prompts, it is susceptible to indirect prompt injection.
  • Ingestion points: Reads files identified during exploration (Step 3, Tier 4) and fetches external content via MCP tools or WebFetch.
  • Boundary markers: The instructions use <PACKET> and <description> tags for sub-agent prompts but lack explicit "ignore embedded instructions" warnings for the ingested data.
  • Capability inventory: The skill has Write, Bash, and spawn_agent capabilities, allowing it to modify the filesystem, execute commands, and create new autonomous agents.
  • Sanitization: There is no evidence of automated sanitization of the content ingested from the codebase or external sources before it is used to generate reports or sub-agent prompts.
  • [SAFE]: The skill references official Anthropics documentation and changelogs from their public GitHub repository to maintain environment compatibility. These references target trusted sources and do not introduce security risks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 24, 2026, 09:33 PM
Security Audit — agent-trust-hub — research