research-deep
Pass
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It reads data from an external file (outline.yaml) and interpolates it directly into the prompt template for background subagents.
- Ingestion points: Data is ingested from
outline.yaml(Step 1) andfields.yaml(Step 3). - Boundary markers: The prompt template uses Markdown headers (e.g., ## Task, ## Field Definitions) but lacks specific guardrails or instructions to ignore potential commands embedded within the interpolated
{item_related_info}variable. - Capability inventory: The skill uses the
Tasktool to spawn subagents, which in turn have access to the shell (Bash) to run Python scripts. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from
outline.yamlbefore it is passed to subagents. - [COMMAND_EXECUTION]: The skill instructs background subagents to execute a local Python validation script (
~/.claude/skills/research-outline/validate_json.py). - This script is expected to exist at a hardcoded path within the user's home directory based on the installation of the broader research skill suite.
Audit Metadata