Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/proof-checker/Gen Agent Trust Hub

proof-checker

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads input from mathematical LaTeX files and includes that content directly into a high-reasoning AI model prompt without using boundary markers or sanitization. This allows malicious instructions embedded in a proof to potentially influence the agent's behavior.
  • Ingestion points: Phase 0 reads LaTeX files (e.g., main.tex) from the local filesystem.
  • Boundary markers: Absent. The untrusted proof content is appended to the end of the reviewer prompt without delimiters or escaping.
  • Capability inventory: The skill possesses broad system capabilities including Bash(*), Edit, Write, and Agent.
  • Sanitization: None. The skill does not validate or sanitize the LaTeX content before processing.
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute shell commands such as pdflatex. While intended for legitimate compilation, these commands represent a significant capability that could be abused if the agent's logic is subverted via input-driven injection.
  • [REMOTE_CODE_EXECUTION]: The skill implements a workflow where a remote AI model (Codex) generates fix plans and LaTeX patches. Because these plans are based on untrusted input data, the agent's application of these fixes via Edit and Write tools constitutes the execution of externally influenced logic on the local system.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 06:06 PM
Security Audit — agent-trust-hub — proof-checker