Skills
skills/agents365-ai/365-skills/scholar-deep-research/Gen Agent Trust Hub

scholar-deep-research

Fail

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill ingests untrusted text from academic papers and includes it in prompts for agent-based analysis in Phase 3. The evidence extraction template in references/agent_prompts/phase3_deep_read.md lacks boundary markers around ingested text, creating a surface for indirect prompt injection.
  • Ingestion points: PDF extraction results and search metadata fetched from external scholarly services.
  • Boundary markers: Absent for untrusted text interpolation in the Agent prompts.
  • Capability inventory: The skill possesses command execution (subprocess.run) and network access (httpx) capabilities.
  • Sanitization: Extracted scholarly content is not sanitized or escaped before processing.
  • [COMMAND_EXECUTION]: The helper module scripts/_pdf_fetch.py discovers and executes a related skill (paper-fetch) via subprocess.run from predefined local paths. This is a vendor-intended modular integration for managing PDF downloads.
  • [EXTERNAL_DOWNLOADS]: The skill retrieves academic papers and metadata from well-known scholarly services including OpenAlex, arXiv, Crossref, and Unpaywall. These are established academic resources and their usage aligns with the skill's primary research purpose.
Recommendations
  • HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
May 10, 2026, 07:53 AM