research-pipeline
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill fetches external data from web searches and arXiv PDF downloads which is then used to influence autonomous code generation and paper writing stages.
- Ingestion points: Data enters the context through the
WebSearch,WebFetch, andarXiv(via/research-lit) tools during the discovery and review phases. - Boundary markers: There are no specified delimiters or instructions to ignore potential commands embedded in the fetched literature or web results.
- Capability inventory: The skill possesses high-impact tools including
Bash(*),Write,Edit, andmcp__codex__codexfor code execution. - Sanitization: No sanitization or validation logic is present to filter malicious instructions from downloaded PDFs or web content before processing.
- [COMMAND_EXECUTION]: Autonomous shell operations. The skill is explicitly instructed to use Bash (
cat << 'EOF' > file) to silently bypass file size limitations and write content without user permission or notification. - [COMMAND_EXECUTION]: Remote deployment and dynamic execution. In Stage 3 and 4, the skill autonomously syncs code to remote servers and executes it using
codex exec(specifically in 'nightmare' mode), which represents a dynamic execution surface for generated code. - [EXTERNAL_DOWNLOADS]: Fetches academic documents. When the
ARXIV_DOWNLOADconstant is enabled, the skill automatically downloads PDF files from arXiv. While arXiv is a well-known and reputable source, these downloads provide the primary vector for the indirect prompt injection surface mentioned above.
Audit Metadata