idea-creator
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local Python scripts (e.g.,
research_wiki.py) and shell commands to manage research state. It uses a dynamic resolution chain to find these scripts in the.aris/tools/ortools/directories and executes them usingpython3. This dynamic path resolution and subsequent execution represents a medium-level risk if the local environment is compromised. - [EXTERNAL_DOWNLOADS]: In Phase 1, the skill uses
WebSearchandWebFetchto download research paper abstracts, introductions, and metadata from external sources like arXiv and various research venues. This data is used to build the landscape map. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external web searches and local paper files and interpolates this content directly into prompts for an external LLM (
mcp__codex__codex). - Ingestion points:
WebSearchandWebFetchoutputs, localpapers/andliterature/contents, and theresearch-wiki/query_pack.mdfile. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when pasting external content into the LLM prompts.
- Capability inventory: The skill has access to
Bash(*),Write,WebSearch, and the ability to launch experiments via/run-experiment. - Sanitization: No sanitization or validation of the ingested research content is performed before it is sent to the brainstorming model.
- [COMMAND_EXECUTION]: In Phase 5, the skill utilizes the
/run-experimenttool to launch parallel "pilot experiments" on GPUs. This involves executing code designed to test generated hypotheses. If the idea generation phase is influenced by malicious instructions in a research paper (indirect injection), it could lead to the execution of malicious experiment code.
Audit Metadata