explore-sota
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The procedure requires running
make checkto validate the state of the research queue. This involves executing a local Makefile, which is a standard development practice but allows for arbitrary shell command execution defined within that file. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data (paper titles, abstracts, and citations) from external sources like arXiv and Semantic Scholar. Maliciously crafted paper metadata could theoretically attempt to influence the agent's triage or digestion logic.
- Ingestion points: Scholarly metadata and paper content retrieved via
arxiv,semantic-scholar, andopenalextools (found inSKILL.md). - Boundary markers: No explicit delimiters or instructions are provided to the agent to treat external paper metadata as untrusted or to ignore embedded instructions.
- Capability inventory: The agent has the ability to write to the local file system (
sota/queue.md,sota/index.md) and execute shell commands (make check). - Sanitization: There is no evidence of sanitization or validation of the external content before it is recorded in the local queue or processed for digestion.
Audit Metadata