novelty-check
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its data ingestion patterns.\n
- Ingestion points: Technical paper abstracts and metadata are fetched from the web using the WebFetch tool in Phase B.\n
- Boundary markers: The prompt constructed for the reviewer model (mcp__codex__codex) lacks delimiters or explicit isolation for the untrusted abstract content.\n
- Capability inventory: The skill possesses file access capabilities (Read, Glob, Grep) and can execute local shell and Python scripts.\n
- Sanitization: No sanitization or filtering logic is described for the external content before it is interpolated into the prompt.\n- [COMMAND_EXECUTION]: The skill invokes local utility scripts, specifically tools/verify_papers.py for citation verification and tools/save_trace.sh for maintaining audit traces. These are vendor-provided utilities necessary for the research assistant's stated functionality.
Audit Metadata