Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/deepxiv/Gen Agent Trust Hub

deepxiv

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill takes user-supplied arguments from the $ARGUMENTS variable and inserts them directly into bash command strings in Step 3 (e.g., python3 tools/deepxiv_fetch.py search "QUERY"). This pattern is susceptible to command injection via shell metacharacters or command substitution (e.g., $(...)) if the input is not strictly sanitized by the agent before execution.
  • [COMMAND_EXECUTION]: In Step 6, the skill includes a complex bash script that dynamically resolves the file path for research_wiki.py using awk to parse local configuration files and git to locate the repository root. This dynamic resolution and subsequent execution with python3 constitutes dynamic code loading from computed paths, which is a security risk if project files are tampered with.
  • [EXTERNAL_DOWNLOADS]: The documentation suggests that users install the deepxiv-sdk package via pip. While this is required for the skill to function, it introduces a dependency on an external third-party package that should be verified for safety.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface.
  • Ingestion points: Untrusted data from academic papers and metadata is retrieved via the deepxiv CLI and processed by the agent.
  • Boundary markers: While double quotes are used in some bash commands, there are no explicit instructions or delimiters used to ensure the agent ignores malicious instructions embedded within the retrieved paper content.
  • Capability inventory: The skill is granted Bash(*), Read, and Write capabilities, and it performs several subprocess executions and file operations.
  • Sanitization: There is no evidence of sanitization or validation of the retrieved external content before it is displayed to the user or stored in the local wiki.
  • [CREDENTIALS_UNSAFE]: The skill documentation notes that the deepxiv CLI automatically stores authentication tokens in the ~/.env file. Interacting with or modifying the .env file is sensitive as it is a common location for high-value system secrets.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 06:06 PM
Security Audit — agent-trust-hub — deepxiv