arxiv-watcher
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/search_arxiv.shinterpolates the$QUERYvariable directly into acurlcommand string. If an agent passes a query containing shell metacharacters such as backticks or$(...), it could lead to arbitrary command execution on the host machine. - [PROMPT_INJECTION]: The skill processes untrusted external data (ArXiv paper titles and abstracts), which serves as a surface for indirect prompt injection attacks. \n
- Ingestion points: XML data fetched from
export.arxiv.org. \n - Boundary markers: None; the skill is instructed to parse and summarize the content directly without delimiting markers or safety instructions. \n
- Capability inventory: The skill can execute local shell scripts, write to
memory/RESEARCH_LOG.md, and fetch arbitrary web content viaweb_fetch. \n - Sanitization: There is no evidence of input validation or content sanitization to prevent malicious instructions within paper abstracts from affecting the agent behavior.
- [EXTERNAL_DOWNLOADS]: The skill makes network requests to
export.arxiv.orgto retrieve paper data. This is an official and well-known academic repository.
Audit Metadata