Skills
skills/wanshuiyin/auto-claude-code-research-in-sleep/research-lit/Gen Agent Trust Hub

research-lit

Warn

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses highly sensitive personal data from Zotero libraries (mcp__zotero__*) and Obsidian vaults (mcp__obsidian-vault__*), including private research notes, annotations, and highlights. This data is synthesized and potentially transmitted to external entities through search queries to academic APIs (Semantic Scholar, OpenAlex, Exa) or incorporated into prompts sent to external LLMs via the Gemini MCP tool.
  • [COMMAND_EXECUTION]: The skill extensively uses shell commands (bash) to perform complex logic, such as resolving script paths and executing Python utilities. It includes logic to find and run scripts across multiple possible directories (tools/, .aris/, and ~/.claude/skills/), which can be influenced by the environment configuration.
  • [REMOTE_CODE_EXECUTION]: The core functionality of the skill relies on a suite of external Python scripts (e.g., arxiv_fetch.py, semantic_scholar_fetch.py, deepxiv_fetch.py, exa_search.py, openalex_fetch.py, verify_papers.py, research_wiki.py). These scripts are executed via the command line with arguments derived from user input, and their behavior is not defined within the skill file itself.
  • [EXTERNAL_DOWNLOADS]: The skill includes an optional feature to automatically download PDF files from arXiv to the local file system based on search results.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted data from the web:
  • Ingestion points: Paper abstracts, metadata, and web search results from multiple external academic APIs enter the agent context in SKILL.md.
  • Boundary markers: No explicit delimiters or instructions are used to isolate untrusted external content from the agent's core instructions.
  • Capability inventory: The skill possesses significant capabilities, including full shell access (Bash), file system write access (Write), and network operations (WebSearch, WebFetch).
  • Sanitization: While a verification script (verify_papers.py) is used to confirm the existence of papers, it does not perform security sanitization of the content fetched from the web.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 17, 2026, 01:26 AM
Security Audit — agent-trust-hub — research-lit