research-agent
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local scripts using
uv run python -m runtime.harnessto perform research tasks. These scripts includescripts/mcp/nia_docs.py,scripts/mcp/perplexity_search.py, andscripts/mcp/firecrawl_scrape.py. The execution is parameterized based on input research questions provided to the agent. - [EXTERNAL_DOWNLOADS]: The skill retrieves data from the public internet via the Perplexity search engine and Firecrawl web scraper. This content is inherently untrusted and provided by external sources.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted external data into research findings without sanitization or protective delimiters.
- Ingestion points: Untrusted data enters the agent context through search results and web scraping via the Perplexity and Firecrawl MCP tools mentioned in
SKILL.md. - Boundary markers: The instructions do not define boundary markers or explicit commands for the agent to ignore instructions embedded within the retrieved research data.
- Capability inventory: The agent has the ability to execute local Python scripts and write structured handoff files to the filesystem as described in
SKILL.md. - Sanitization: There is no evidence of sanitization or filtering of external content before it is synthesized into the final handoff document.
Audit Metadata