idea-creator
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interpolates variables such as
<id>and<slug>into shell commands within Phase 7. These variables are populated with content generated by an external LLM (Phase 2) and metadata extracted from web searches (Phase 1). If these strings contain shell metacharacters (e.g.,;,&&,|), they could trigger arbitrary command execution when the shell script is run. - Evidence:
python3 "$WIKI_SCRIPT" add_edge research-wiki/ --from "idea:<id>" --to "paper:<slug>" --type inspired_by --evidence "..."in Phase 7. - [REMOTE_CODE_EXECUTION]: The skill uses dynamic path resolution to find and execute a Python script (
research_wiki.py). It searches for the script in relative directories like.aris/tools/andtools/, or via the$ARIS_REPOenvironment variable. An attacker with write access to the project directory could place a malicious script in one of these locations to achieve code execution when the skill is invoked. - Evidence: The resolution logic in Phase 0 and the subsequent execution in Phase 7:
[ -f "$WIKI_SCRIPT" ] || WIKI_SCRIPT="tools/research_wiki.py"followed bypython3 "$WIKI_SCRIPT" rebuild_query_pack research-wiki/. - [PROMPT_INJECTION]: Phase 1 of the skill performs a landscape survey by fetching data from the web (recent arXiv preprints and top venues). This untrusted data (abstracts, introductions, identified gaps) is then interpolated directly into the prompt for the senior ML researcher brainstorm in Phase 2 and Phase 4. This creates a surface for Indirect Prompt Injection, where malicious instructions hidden in research papers or web content could manipulate the agent's behavior or the output of the brainstorming session.
- Evidence: Phase 2 prompt interpolation:
[paste landscape map from Phase 1]and[paste gaps from Phase 1]into themcp__codex__codextool call.
Audit Metadata