Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/openalex/Gen Agent Trust Hub

openalex

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: In Step 3 of the workflow, the skill instructs the agent to execute python3 "$SCRIPT" search "QUERY". The QUERY variable is derived directly from user-supplied $ARGUMENTS. If a user provides a search query containing shell metacharacters (e.g., $(whoami) or ; curl attacker.com), the agent may execute these commands in the local environment because the instructions lack shell escaping or parameterization for the Bash(*) tool.
  • [PROMPT_INJECTION]: The skill processes untrusted data from the external OpenAlex API, including paper titles, abstracts, and author information. There are no boundary markers or instructions to treat this content as data rather than instructions, which could lead to indirect prompt injection if an attacker controls a paper's metadata in the OpenAlex database.
  • Ingestion points: External data enters the context in Step 4 and Step 5 from the openalex_fetch.py script output.
  • Boundary markers: Absent. The data is presented directly in a markdown table and summary.
  • Capability inventory: The skill has Bash(*), Read, and Write capabilities, making the impact of a successful injection high.
  • Sanitization: None mentioned for the fetched JSON results before presentation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 06:06 PM
Security Audit — agent-trust-hub — openalex