study
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses bash scripts that incorporate user-provided input strings directly into shell variables (
USER_INPUT="<user-input>"). Without proper sanitization by the underlying platform, this pattern is vulnerable to shell command injection.\n- [EXTERNAL_DOWNLOADS]: Thedownload-pdf.cjsscript allows the agent to fetch files from any user-provided URL. Although it checks for PDF content types, this capability allows the agent to make network requests to arbitrary external servers.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from PDFs viascripts/parse-pdf.jsand processes the text to generate summaries and study materials.\n - Ingestion points:
scripts/parse-pdf.jsextracts raw text from user-provided PDF files.\n - Boundary markers: Absent; there are no specified delimiters or instructions to ignore embedded commands within the extracted paper text.\n
- Capability inventory: The skill has access to
Bash,Write,Edit, andReadtools, which could be exploited by an injection attack.\n - Sanitization: Absent; the extracted text is passed to the model without filtering or sanitization.\n- [REMOTE_CODE_EXECUTION]: The skill performs runtime installation of dependencies (
npm installandpip install pymupdf). Downloading and installing packages from public registries at runtime introduces a risk of supply chain attacks or execution of malicious code if the registries or packages are compromised.
Audit Metadata