deep-research
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill defines an Autopilot mode via the
--autoflag that explicitly directs the agent to "Skip ALL user confirmations" and execute a multi-phase research pipeline end-to-end. This instruction overrides standard safety practices that require human verification before executing shell commands and spawning autonomous tool agents. - [COMMAND_EXECUTION]: The orchestrator uses the
Bashtool to perform system-level tasks including session initialization, file creation, and the execution of local shell scripts (gemini-research.sh,browser-extract.sh). These scripts invoke external CLI tools likechromuxandgeminito perform research operations. - [EXTERNAL_DOWNLOADS]: The skill utilizes the
npxtool to dynamically execute@team-attention/chromuxfrom the NPM registry. It also incorporates thegeminiCLI, a tool provided by a well-known service (thegoogle-geminiorganization), for independent research tasks. - [PROMPT_INJECTION]: The skill presents an Indirect Prompt Injection surface by retrieving and processing content from untrusted external web sources.
- Ingestion points: Untrusted content enters the agent's context through
WebSearch,WebFetch, and browser-based data extraction agents (SKILL.md). - Boundary markers: The instructions do not include boundary markers or delimiters to isolate retrieved web data from the agent's own instructional context.
- Capability inventory: The skill is capable of executing arbitrary shell commands via
Bashand spawning sub-agents with tool-use permissions (SKILL.md). - Sanitization: The workflow does not include any steps to sanitize or validate external content before it is processed by the agent or used to generate the final report.
Audit Metadata