adversarial-review
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted LaTeX manuscripts from the ".writing/manuscript/" directory, which introduces a surface for indirect prompt injection. Maliciously crafted content within a manuscript could attempt to manipulate the reviewer thread's behavior. \n
- Ingestion points: LaTeX source files and BibTeX files in the ".writing/manuscript/" directory (SKILL.md, Step 0). \n
- Boundary markers: The prompt templates in "references/attack-and-verdict.md" do not employ explicit security delimiters or boundary markers to isolate the manuscript content from the instructions. \n
- Capability inventory: The skill executes local Python scripts and an internal Codex bridge, and it has permission to write files and progress logs to the project workspace. \n
- Sanitization: No explicit sanitization or input validation of the LaTeX source content is performed. \n- [COMMAND_EXECUTION]: The skill executes a local Python script, "scripts/compute_verdict.py", to calculate a verdict from model-generated rulings. It also invokes an internal bridge script, "codex_bridge.py", to facilitate cross-model communication. These are controlled executions of the skill's own logic components.
Audit Metadata