kill-argument
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directly interpolates user-provided input into a shell variable in the workflow: PAPER_DIR="$ARGUMENTS". This pattern is vulnerable to command injection if a user provides a path containing shell metacharacters (e.g., directory; malicious_command), allowing for unauthorized execution of arbitrary bash commands.
- [PROMPT_INJECTION]: The skill processes external, untrusted content from LaTeX source files, bibliography files, and PDFs by inserting them into LLM prompts for the codex MCP tool. This creates an indirect prompt injection vector where a malicious paper could hijack the sub-agent's instructions.
- [PROMPT_INJECTION]: Mandatory Evidence Chain for Indirect Prompt Injection:
- Ingestion points: LaTeX (.tex), bibliography (.bib), and PDF files located in the directory specified by the user in Step 1.
- Boundary markers: The skill uses markdown headers (e.g., '## Files to read') and blockquotes in the codex prompt to delimit the paper content, providing basic but bypassable isolation.
- Capability inventory: The skill has access to Bash shell execution, file system operations (Read, Write, Edit, Grep, Glob), and sub-agent invocation via mcp__codex__codex.
- Sanitization: No sanitization, escaping, or structural validation is performed on the ingested file content before it is processed by the LLM.
Audit Metadata