grant-proposal
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script
tools/extract_paper_style.pyusing user-supplied arguments which can include external URLs. It also instructs the user to run an external installation scripttools/install_aris.shif dependencies are missing. - [DATA_EXFILTRATION]: Completed grant proposals, containing potentially sensitive research ideas and PI credentials, are transmitted to an external service via the
mcp__codex__codex-replytool. The skill also reads from the sensitive path~/.claude/feishu.jsonto configure notifications to an external service. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from web searches, literature sources, and external URLs (used as style references). This data is interpolated into subsequent drafting and review prompts without explicit boundary markers or sanitization, potentially allowing external content to manipulate the agent's behavior.
- Ingestion points: WebSearch and WebFetch results in Phase 1; external source URL for style reference in Phase 0.
- Boundary markers: None identified in the prompt interpolation logic.
- Capability inventory: Bash, Write, mcp__codex, Agent, Skill.
- Sanitization: No validation or escaping of external content before use in prompts.
Audit Metadata