deep-research
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The instructions in SKILL.md and WORKFLOW.md guide the agent to execute local Python scripts via shell commands with user-provided input (e.g., topic slugs). This creates a surface for argument injection if the calling agent does not correctly escape the input. Evidence includes the Quick Start instructions to run python3 scripts/cache_manager.py fetch "{topic}".
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes and stores technical research obtained via third-party search tools. Ingestion points occur in cache_manager.py and promote.py when external content is written to markdown files. The skill uses boundary markers () in promoted files and normalization (normalize_slug) for filenames, but does not sanitize the research content itself. Capability inventory includes shell execution of internal scripts, git operations via subprocess, and filesystem access in user and project directories.
Audit Metadata