grant-proposal
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The instruction set directs the agent to execute the shell command
python3 tools/extract_paper_style.py --source \"<source>\". Because the<source>value is taken directly from the user-controlled$ARGUMENTSstring, an attacker could inject arbitrary shell commands (e.g., using command delimiters like;or&). - [COMMAND_EXECUTION]: The skill references a local installation script
tools/install_aris.shand suggests executing it via bash, which involves running scripts that may not have been verified by the user. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted external content.
- Ingestion points: Research ideas, literature survey data, and web content retrieved via
WebFetchfrom various grant databases and research sources. - Boundary markers: No delimiters or instructions to ignore malicious embedded directives are used when processing this data.
- Capability inventory: The skill has broad capabilities including
Bash(*),Write,Edit, and model invocation viamcp__codex__codex. - Sanitization: The skill does not implement sanitization or validation of external content before it is processed by the agent or the sub-agent.
- [EXTERNAL_DOWNLOADS]: The skill uses
WebFetchandWebSearchto retrieve content from external websites and suggests cloning resources from an external 'ARIS repo', potentially introducing untrusted code or data into the environment.
Audit Metadata