resubmit-pipeline
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
Bash(*)for critical file operations. While the primary bash block for directory creation uses proper quoting, the 'Composition rules' section provides instructions for the agent to execute shell commands such ascp -r $PAPER_BASE_DIR/sec/ $NEW_VENUE_DIR/sec/where path variables are unquoted. This inconsistency creates a risk of command injection or execution errors if the user-provided paths contain spaces or shell metacharacters.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted external data.\n - Ingestion points: The skill reads manuscript content from
paper-base-dirand external reviewer feedback fromreview-corpus.\n - Boundary markers: The instructions lack defined delimiters or clear directives to the agent to disregard malicious commands embedded within these external documents.\n
- Capability inventory: The agent has extensive capabilities, including full
Bashaccess and the ability to modify files and invoke other agent skills, which could be exploited if malicious instructions in a reviewer report are processed and executed.\n - Sanitization: No sanitization or validation of the input content is performed before it is used to drive the 'microedit' and 'audit' phases.\n- [SAFE]: The skill demonstrates strong defensive design by creating isolated sibling directories for new submissions, ensuring prior work remains immutable. It also implements a sophisticated '5-layer' anonymity scan to prevent accidental disclosure of author identity and integrates with established academic tools like
latexmk,pdfinfo, and/overleaf-sync.
Audit Metadata