paper-audit
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted academic papers in various formats (.tex, .typ, .pdf) and includes their content in prompts for LLM reviewer agents like the methodology and critical reviewers. A malicious document could attempt to override the reviewer's instructions to manipulate the audit results or extract context. \n
- Ingestion points: Document files are parsed in scripts/audit.py and scripts/parsers.py. \n
- Boundary markers: The agent definitions do not employ delimiters or instructions to ignore embedded commands in the paper content. \n
- Capability inventory: The skill uses tools like Bash, Task, Read, Glob, and Grep. \n
- Sanitization: No filtering or escaping logic is implemented for the paper content before it is passed to LLM agents. \n- [COMMAND_EXECUTION]: The skill employs dynamic module loading and executes external Python scripts. In scripts/parsers.py, it uses importlib to load modules from sibling directories such as latex-paper-en. Furthermore, scripts/audit.py uses subprocess.run to execute scripts from sibling directories. While the paths are resolved relative to the skill's own root, executing code from outside the skill's own package is a security concern if the filesystem environment is not strictly controlled.
Audit Metadata