adversarial-review

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted LaTeX manuscripts from the ".writing/manuscript/" directory, which introduces a surface for indirect prompt injection. Maliciously crafted content within a manuscript could attempt to manipulate the reviewer thread's behavior. \n
  • Ingestion points: LaTeX source files and BibTeX files in the ".writing/manuscript/" directory (SKILL.md, Step 0). \n
  • Boundary markers: The prompt templates in "references/attack-and-verdict.md" do not employ explicit security delimiters or boundary markers to isolate the manuscript content from the instructions. \n
  • Capability inventory: The skill executes local Python scripts and an internal Codex bridge, and it has permission to write files and progress logs to the project workspace. \n
  • Sanitization: No explicit sanitization or input validation of the LaTeX source content is performed. \n- [COMMAND_EXECUTION]: The skill executes a local Python script, "scripts/compute_verdict.py", to calculate a verdict from model-generated rulings. It also invokes an internal bridge script, "codex_bridge.py", to facilitate cross-model communication. These are controlled executions of the skill's own logic components.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 05:55 PM
Security Audit — agent-trust-hub — adversarial-review