journal-adapt
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes external CLI tools to perform PDF-to-Markdown conversion. Specifically, it uses
python3 -m mineru.cli.pdf_to_mdto process research papers and manuscripts provided by the user. While this is a functional requirement for the skill's purpose, it involves running shell commands on local files. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It ingests untrusted data from a corpus of research papers and user-provided exemplars to generate a 'dynamic_writing_skill.md' file, which is then loaded as the authoritative instruction set for the second phase of the agent's execution. A malicious document in the input corpus could contain hidden instructions designed to manipulate the agent's behavior during the revision phase.
- Ingestion points: Step 2 (Corpus conversion) and Step 3 (Style Card extraction) ingest content from external PDF/Markdown files.
- Boundary markers: The skill lacks robust technical delimiters to separate untrusted document content from the agent's internal reasoning, relying instead on high-level natural language instructions to 'describe only structure'.
- Capability inventory: The agent has the capability to write files to the local file system and execute shell commands (
mineru). - Sanitization: There is no evidence of automated sanitization or filtering of the text extracted from the external papers before it is processed by the LLM.
Audit Metadata