thesis-tracker
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFE
Full Analysis
- Command Execution: The skill utilizes a local Python utility (
scripts/materialize_thesis_tracker.py) to transform structured JSON data into CSV and Excel formats. This script is used for artifact generation and operates on data internal to the skill's workflow. - Indirect Prompt Injection Surface: The skill is designed to ingest and process data from external sources such as regulatory filings, news articles, and research memos. This creates a potential attack surface where adversarial content in those documents could attempt to influence the agent's output.
- Ingestion points: Data enters the system from external URLs (news/filings) and user-provided files as described in
references/intake-and-source-priority.md. - Boundary markers: The workflow instructions in
SKILL.mdandreferences/workflow-core.mdrequire explicit source labeling and separation of factual evidence from analyst judgment, which helps maintain analytical integrity. - Capability inventory: The skill has the capability to write to the local file system in the
outputdirectory via its report generation script. - Sanitization: Content is processed into structured formats (CSV/XLSX) using the
csvmodule andopenpyxllibrary, which provide standard escaping for these file types. - Dependency Management: The skill declares a requirement for
openpyxl, a standard and well-known Python library for handling Excel files, used here to create formatted thesis tracker workbooks.
Audit Metadata