arxiv
Fail
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's documentation recommends that users install the 'uv' tool by piping a script from astral.sh directly to the shell. While astral.sh is the official domain for a well-known service (Astral), piped shell execution is documented as a finding for visibility. In this context, it is used for legitimate environment setup.
- [COMMAND_EXECUTION]: The Python package bundled with the skill uses 'subprocess.call' to open downloaded PDF files using system-standard utilities like 'open', 'start', or 'xdg-open'. The command is executed by passing a list of arguments, which effectively mitigates the risk of shell command injection.
- [PROMPT_INJECTION]: The skill retrieves and displays titles and abstracts from arXiv, which is a source of untrusted external data. This creates a surface for indirect prompt injection, where malicious instructions embedded in paper metadata could theoretically attempt to influence the agent's behavior.
- Ingestion points: The 'arxiv_download/src/retrieve.py' script fetches and parses metadata directly from arXiv web pages.
- Boundary markers: No explicit delimiters or instructions are used to separate the external metadata from the agent's primary instructions.
- Capability inventory: The skill can write to the local file system (saving PDFs) and execute commands to open files via 'arxiv_download/src/arxiv_script.py'.
- Sanitization: Metadata text is presented to the agent and user without specific sanitization or filtering.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata