deep-research
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from the web using
web_searchandweb_fetchtools, which creates an indirect prompt injection surface where external content could attempt to influence the agent's logic. This risk is mitigated by an architecture where the lead agent only processes distilled notes from subagents rather than raw search context, and through a mandatory 'Counter-Review' phase (P6) that validates claims against multiple independent sources. - [DATA_EXFILTRATION]: The skill handles user-provided exclusive sources, such as paid APIs and proprietary databases (e.g., Crunchbase Pro), for research. It includes a 'Source Accessibility Policy' in
references/source_accessibility_policy.mdspecifically designed to prevent 'Circular Verification'—the accidental exposure of user-owned private account data back to the user under the guise of research findings. While the skill manages sensitive user-provided tokens, these operations are guided by explicit privacy and verification boundaries. - [COMMAND_EXECUTION]: The orchestration of research tasks involves the generation and execution of shell commands to dispatch subagents (e.g.,
claude -p ...), as documented inreferences/subagent_prompt.md. This mechanism is used to parallelize research tasks and manage output files within the local workspace environment, representing a legitimate use of local command execution for agentic coordination.
Audit Metadata