Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/citation-audit/Gen Agent Trust Hub

citation-audit

Pass

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from LaTeX files and bibliography databases and interpolates it directly into prompts for a secondary AI model (gpt-5.5 via mcp__codex__codex).
  • Ingestion points: Extracts citation contexts from *.tex files and bibliographic metadata from *.bib files (Steps 1 and 2).
  • Boundary markers: The prompt template uses Markdown headers (e.g., ## Where this entry is cited) but lacks explicit instructions to the reviewer model to ignore or escape instructions embedded within the interpolated paper content.
  • Capability inventory: The skill environment has access to powerful tools including mcp__codex__codex, WebSearch, WebFetch, Bash, and Edit.
  • Sanitization: There is no evidence of sanitization or input validation performed on the paper content before it is sent to the external reviewer or used to generate file-write operations.
  • [COMMAND_EXECUTION]: The skill executes latexmk on the audited paper directory. If the paper contains malicious TeX macros (such as \write18 or other shell-escape commands), it could lead to arbitrary command execution on the host system during the verification process.
  • [EXTERNAL_DOWNLOADS]: The skill uses WebSearch and WebFetch to interact with external databases like DBLP and arXiv. While these are reputable sources, the interactions are driven by untrusted citation keys extracted from the user's files.
Audit Metadata
Risk Level
SAFE
Analyzed
May 18, 2026, 06:06 PM
Security Audit — agent-trust-hub — citation-audit