research-report
Warn
Audited by Gen Agent Trust Hub on Jun 15, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill programmatically writes a new Python script (
generate_report.py) to the workspace and immediately executes it using the system shell. This dynamic execution pattern is inherently risky as it allows for the execution of arbitrary logic that is not part of the static skill definition. - [COMMAND_EXECUTION]: The skill utilizes the
Bashtool to invoke the Python interpreter (python {topic}/generate_report.py). This capability allows the skill to execute system-level commands, which is used here to run the dynamically generated code. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from external JSON files (
output_dir/*.json) produced by research tasks. This data is used as context when the agent writes the executable Python script. An attacker could potentially place malicious payloads in the research data to hijack the code generation process. - Ingestion points: The skill reads multiple JSON files from an output directory to identify fields and format the final report.
- Boundary markers: No explicit delimiters or safety instructions are defined to separate untrusted research data from the instructions used to generate the report script.
- Capability inventory: The skill possesses the
Writetool (to create the script) and theBashtool (to execute it), providing a complete path from data ingestion to code execution. - Sanitization: There is no evidence of sanitization, validation, or escaping of the research data before it is incorporated into the script-writing logic.
Audit Metadata