novelty-check
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources and processes it using a reasoning model without sanitization.
- Ingestion points: Phase B uses
WebSearchandWebFetchto retrieve abstracts and technical claims from the public web (arXiv, Google Scholar, etc.). - Boundary markers: The instructions in Phase C interpolate this external content directly into the prompt for the
REVIEWER_MODELwithout using delimiters or instructions to the model to ignore potential commands embedded in the abstracts. - Capability inventory: The skill allows access to powerful tools like
mcp__codex__codexand file system tools (Grep,Read,Glob), which an injected instruction could attempt to abuse. - Sanitization: There is no evidence of filtering or escaping external content before it is passed to the reasoning model.
- [COMMAND_EXECUTION]: The instructions direct the agent to execute a shell script located at
tools/save_trace.sh. Since this script is not part of the skill's source files, its behavior is unverifiable and could execute arbitrary or malicious commands on the host system. - [DATA_EXFILTRATION]: The 'Review Tracing' section instructs the agent to write files to a hidden directory (
.aris/traces/). This mechanism, while described as logging, could be used to harvest information from the agent's session and persist it in a non-standard location on the file system.
Audit Metadata