semantic-scholar
Fail
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in Step 2 and Step 3 guide the agent to construct shell commands, such as
python3 "$SCRIPT" search "QUERY", by directly interpolating user-supplied arguments. There are no directives to sanitize or escape shell metacharacters (e.g., semicolons, backticks, or pipes), creating a high risk of command injection if the user provides a malicious query.\n- [PROMPT_INJECTION]: The design of the skill workflow encourages the agent to handle arbitrary user input and pass it to a powerful tool (Bash) without validation. This provides a direct path for prompt injection to manipulate the agent's behavior and execute unauthorized commands.\n- [EXTERNAL_DOWNLOADS]: The skill fetches data fromapi.semanticscholar.org. This is a well-known academic service used for retrieving paper metadata and is considered a legitimate external dependency for the skill's functionality.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Risk Assessment:\n - Ingestion points: Untrusted external data is ingested from the Semantic Scholar API (titles, abstracts, and TLDRs) in SKILL.md Step 2 and Step 3.\n
- Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the prompt templates to protect the agent from malicious instructions within paper metadata.\n
- Capability inventory: The skill is granted
Bash,Read, andWritepermissions, which could be exploited if an ingested paper title or abstract contained instructions the agent attempted to follow.\n - Sanitization: There is no evidence of sanitization or filtering applied to the API responses before they are processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata