nature-ref-verifier
Pass
Audited by Gen Agent Trust Hub on Jul 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external sources.
- Ingestion points: Untrusted data enters the context via bibliography lists, BibTeX files, and academic search results from Crossref, IEEE Xplore, and general web search (referenced in SKILL.md and README.md).
- Boundary markers: No explicit delimiters or instructions are provided to the agent to treat reference metadata as data rather than instructions, increasing the risk of the agent obeying embedded commands.
- Capability inventory: Across its workflow, the skill can generate shell commands for
zotero-cliand perform network operations viaWebSearchandFetchURL. - Sanitization: The instructions do not specify any validation or sanitization of the bibliographic data before it is processed or used to generate commands.
- [COMMAND_EXECUTION]: The skill dynamically generates
zotero-cli editcommands intended for updating a user's local Zotero library. Because these commands are constructed using metadata retrieved from external searches, there is a risk of command injection if the remote data source is malicious. - [DATA_EXFILTRATION]: The skill sends bibliographic information (titles, authors) to external services and search engines like Crossref and Bing. While this is required for the skill's primary function, it constitutes outbound network traffic to non-whitelisted domains.
Audit Metadata