Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/research-lit/Gen Agent Trust Hub

research-lit

Fail

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill implements a pattern of dynamic script discovery and execution. It uses the find command to locate scripts like arxiv_fetch.py, semantic_scholar_fetch.py, exa_search.py, openalex_fetch.py, and research_wiki.py across multiple locations (e.g., tools/, ~/.claude/skills/arxiv/, .aris/tools/). It then executes these scripts using python3. This behavior allows for a shadowing attack where a malicious script placed in a scanned directory with the expected name will be executed by the agent.
  • [COMMAND_EXECUTION]: The skill heavily relies on the Bash(*) tool to perform complex logic, including multi-step script resolution chains and environment checks. It specifically instructs the agent to execute shell commands gathered from the file system, which increases the attack surface if the environment is compromised.
  • [DATA_EXFILTRATION]: The skill is configured to access highly sensitive local data sources, including the user's Obsidian vault (personal notes), Zotero library (research history/annotations), and local document directories. Since the skill also has unrestricted network access via WebSearch and WebFetch, there is a significant risk of data exfiltration if the agent is manipulated into sending local research data to external endpoints.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests untrusted content from several external sources including arXiv, Semantic Scholar, Exa Search, OpenAlex, and broad web searches. This data (abstracts, titles, and extracted content) is then used in Step 3 ('Synthesize') to identify gaps and group themes. The instructions lack boundary markers or sanitization requirements, allowing malicious instructions embedded in a research paper's metadata or abstract to influence the agent's behavior during synthesis.
  • [EXTERNAL_DOWNLOADS]: The skill provides instructions to download arbitrary PDF files from the internet (specifically arXiv) to the local filesystem if a specific flag is set. While targeted at a known source, this provides a mechanism for downloading external files that are later parsed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 13, 2026, 02:00 PM