ai-research-explore

Warn

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The main orchestrator script (orchestrate_explore.py) and various helper scripts make extensive use of subprocess.run to call system tools like git, nvidia-smi, rocm-smi, and to execute other Python scripts within the environment.
  • [REMOTE_CODE_EXECUTION]: The execution_feasibility.py script utilizes importlib.util.spec_from_file_location and exec_module to dynamically load and execute Python modules from the repository being analyzed. This occurs during 'import-probe' and 'constructor-probe' checks, meaning code from the analyzed repository is executed in the agent's environment.
  • [EXTERNAL_DOWNLOADS]: The skill performs network requests using urllib.request to fetch data from ArXiv (export.arxiv.org), DOI (doi.org), and GitHub (api.github.com) APIs. Additionally, url_provider.py is capable of fetching content from arbitrary URLs provided in campaign configuration or extracted from the repository.
  • [PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection (Category 8). It ingests untrusted data from the repository (READMEs, code comments, configuration files) and from external API responses to generate 'idea seeds' and 'improvement banks' which are then presented to the agent. Maliciously crafted content in these sources could potentially influence the agent's reasoning or subsequent actions.
  • [DYNAMIC_EXECUTION]: In scripts/write_outputs.py, the skill dynamically loads a Python module from a relative path (../../../shared/scripts/write_explore_bundle.py) that resides several levels above its own directory, introducing a dependency on external local files and executing them at runtime.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 12, 2026, 07:42 PM
Security Audit — agent-trust-hub — ai-research-explore