review-literature
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted external data from academic papers and web search results. Maliciously crafted documents could contain instructions aimed at overriding the agent's behavior or biasing the literature survey.
- Ingestion points: Full PDF files downloaded from external archives (arXiv, ePrint) and snippets from web search results (Step 8, Step 2, Step 3).
- Boundary markers: Absent; the skill does not instruct the agent to use delimiters or ignore embedded instructions when reading papers.
- Capability inventory: The agent can write files to the workspace (
reaper-workspace/) and invoke secondary skills (/analyze-paper,/search-paper) based on processed data. - Sanitization: Absent; the content of the papers is passed directly to the analysis sub-skill.
- [COMMAND_EXECUTION]: The skill interpolates user-provided input (
<research-goal>) directly into arguments for other skills (e.g.,/analyze-paper). While typical for agent workflows, this creates a potential surface for command injection if the user input is not properly handled by the host environment. - [EXTERNAL_DOWNLOADS]: The skill fetches academic papers from well-known repositories such as arXiv and IACR ePrint, and performs searches via public web search engines. These network operations are necessary for the skill's primary function of literature review.
- [DATA_EXFILTRATION]: The skill extracts keywords, author names, and technical concepts from local files (
paper-summary.md) to generate search queries for external services. This data movement is aligned with the stated purpose of the skill.
Audit Metadata