semantic-scholar
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands using dynamic paths and unsanitized user input. In Step 2, the agent uses
findto locate a script and then executes it usingpython3 "$SCRIPT" search "QUERY", whereQUERYis derived from the user-provided$ARGUMENTS. This pattern is susceptible to command injection if the agent fails to properly escape shell metacharacters in the user input. - [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8). Data retrieved from the external Semantic Scholar API (such as paper titles, author names, and venues) is used as command-line arguments for a secondary script in Step 7 (
tools/research_wiki.py). - Ingestion points: Data enters the context from the Semantic Scholar API search and paper detail endpoints (SKILL.md Step 2 and Step 3).
- Boundary markers: No explicit instructions or delimiters are provided to the agent to distinguish between valid data and potentially malicious instructions embedded within the API response.
- Capability inventory: The skill possesses the
Bash(*)capability, specifically calling local Python scripts (research_wiki.py). - Sanitization: There is no mention of sanitizing, escaping, or validating the API-returned fields (e.g.,
<title>,<authors>) before they are interpolated into shell commands.
Audit Metadata