arxiv
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands using variables directly derived from user arguments without sanitization or escaping.\n
- In Step 2, the command
python3 "$SCRIPT" search "QUERY" --max MAX_RESULTSinterpolates the search query. A query containing shell metacharacters (e.g.,"; touch /tmp/pwned #) could lead to arbitrary command execution.\n - In Step 4, the command
mkdir -p PAPER_DIRuses the directory path provided by the user. A path such as"; rm -rf / ; #"could be used to execute destructive commands.\n- [PROMPT_INJECTION]: The skill ingests and processes untrusted data from the arXiv API, creating a surface for indirect prompt injection.\n - Ingestion points: Paper titles and abstracts are fetched from
export.arxiv.orgin Steps 2 and 3 and rendered in Step 5.\n - Boundary markers: Absent. The skill does not wrap the external content in delimiters or provide instructions to the agent to ignore instructions embedded in the abstracts.\n
- Capability inventory: The skill utilizes
Bash(*),Read, andWritetools, allowing for potential system impact if an injection is successful.\n - Sanitization: Absent. Abstracts are processed directly for summarization in Step 5 without any filtering or validation.\n- [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch metadata and PDF files from well-known academic sources.\n
- Fetches paper metadata from the official arXiv API over HTTP (
http://export.arxiv.org/api/query).\n - Downloads PDF files from the official arXiv repository (
https://arxiv.org/pdf/).
Recommendations
- AI detected serious security threats
Audit Metadata