paper-navigator
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill leverages the
executetool to run specialized local Python scripts (e.g.,scholar_search.py,citation_traverse.py) for processing academic data and generating literature reports. These scripts are managed within the skill's own directory structure.\n- [EXTERNAL_DOWNLOADS]: Communicates with well-known service providers including Semantic Scholar, arXiv, HuggingFace, GitHub, and Jina Reader to retrieve research papers, metadata, and code repository information. These network operations are intrinsic to the skill's stated purpose of academic navigation.\n- [PROMPT_INJECTION]: The skill processes external data such as paper titles and abstracts which presents an indirect prompt injection surface. A malicious academic entry could theoretically contain instructions intended to influence agent behavior during reading or evaluation phases.\n - Ingestion points: Academic metadata and full-text content are ingested via Semantic Scholar and arXiv APIs and the Jina Reader service across multiple scripts (e.g.,
fetch_paper.py,arxiv_monitor.py).\n - Boundary markers: Untrusted content is generally presented as Markdown formatted text without specific structural delimiters.\n
- Capability inventory: The skill execution environment provides access to
execute,write_file,edit_file, andread_filetools.\n - Sanitization: The
scholar_search.pyscript specifically validates XML input from the arXiv API to detect and block XXE injection patterns (<!DOCTYPE, <!ENTITY).\n- [SAFE]: The skill implements best practices for secure application design, such as fetching authentication tokens from environment variables rather than hardcoding them. It also includes global rate-limiting logic to ensure compliant interaction with external APIs.
Audit Metadata