arxiv
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: User input from
$ARGUMENTS(specifically theQUERYandPAPER_DIRparameters) is interpolated directly into shell command strings in Step 2 (python3 "$SCRIPT" search "QUERY") and Step 4 (mkdir -p PAPER_DIR). This lacks sanitization instructions, which could allow an attacker to execute arbitrary commands using shell metacharacters such as backticks or command substitution syntax. - [REMOTE_CODE_EXECUTION]: The skill's logic involves searching for and executing local Python scripts (
arxiv_fetch.pyandresearch_wiki.py) from relative paths including the current project directory. This pattern can be exploited if a malicious actor is able to place a script in these locations, leading to the execution of untrusted code when the skill is invoked. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch metadata and PDF files from
arxiv.org. While arXiv is a well-known and reputable service, the combination of external data retrieval with broadBashandWritepermissions requires careful management of the downloaded content. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting untrusted paper metadata (titles, authors, and abstracts) from the arXiv API. This content is subsequently used to generate summaries and update a 'Research Wiki' without sanitization or boundary markers, which could be used to influence the agent's downstream reasoning or actions.
Audit Metadata