comm-lit-review-claude-single
Pass
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is granted access to the
Bash(*)tool. While the workflow indicates this is used for locating local PDF files within the project structure, the wildcard permission allows for arbitrary command execution on the host system without restriction. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing data from external, untrusted sources which could contain malicious instructions.
- Ingestion points: The agent reads local PDFs from
papers/andliterature/folders, retrieves notes from Obsidian and Zotero via MCP, and fetches external web content from academic databases like IEEE Xplore, ScienceDirect, and ACM Digital Library. - Boundary markers: Absent. The skill provides no instructions to the agent to distinguish between its own system instructions and the content retrieved from the papers, nor does it use delimiters to isolate external text.
- Capability inventory: The skill possesses high-privilege capabilities including
Bash(*),Write, andWebFetchtools. - Sanitization: Absent. There is no evidence of filtering, escaping, or validation performed on the text extracted from retrieved documents before it is synthesized into the final output.
Audit Metadata