proof-checker
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted LaTeX content and passes it to an external model while having access to high-privilege tools.
- Ingestion points: Untrusted data enters the context in SKILL.md (Phase 0 and 1) via the Read and Grep tools which read the proof files.
- Boundary markers: The skill lacks strong delimiters or warnings to ignore embedded instructions in the Codex prompt template in SKILL.md.
- Capability inventory: The skill utilizes Bash, Write, and Edit tools as described in SKILL.md and Phase 2, which could be misused if instructions in the proof files are obeyed.
- Sanitization: No sanitization or validation of external content is present in the workflow.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute document compilation via pdflatex. This pattern presents a potential for command injection if filenames or arguments derived from user input are not strictly sanitized.
- [DATA_EXFILTRATION]: The skill transmits the contents of local LaTeX files to an external service (mcp__codex__codex). While central to the skill's purpose, this represents a transfer of potentially sensitive data to an external tool.
Audit Metadata