citation-management
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/generate_schematic.pyusessubprocess.run()to execute a local helper script,generate_schematic_ai.py. The execution is handled securely using argument lists to prevent shell injection, and sensitive credentials are passed through environment variables rather than command-line arguments. - [EXTERNAL_DOWNLOADS]: The skill performs legitimate network operations to fetch academic data and utilize AI services from well-known providers:
- Retrieves BibTeX data from
doi.org. - Fetches citation metadata from CrossRef (
api.crossref.org), NCBI PubMed (eutils.ncbi.nlm.nih.gov), and arXiv (export.arxiv.org). - Communicates with the OpenRouter API (
openrouter.ai) for AI-powered diagram generation and review. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes external publication metadata (titles, abstracts) that could potentially contain malicious instructions.
- Ingestion points: External metadata fetched in
scripts/extract_metadata.pyand search results inscripts/search_pubmed.py. - Boundary markers: Data is structured into BibTeX fields, which provides some separation from the agent's instructions.
- Capability inventory: The skill can execute local subprocesses via
scripts/generate_schematic.py. - Sanitization: The scripts use standard JSON and XML parsers, but no specific sanitization for LLM-focused injection patterns is implemented in the data handling logic.
- [DATA_EXFILTRATION]: There is no evidence of sensitive data exfiltration. The skill follows best practices by retrieving API keys from environment variables or local
.envfiles rather than hardcoding them in the source code.
Audit Metadata