paper-workbench
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by processing untrusted academic content.
- Ingestion points: External papers (PDFs, ArXiv metadata) are fetched and parsed by
scripts/normalize_paper.pyandscripts/xray_io.py. - Boundary markers: Extracted data is structured into a
paper-recordJSON schema, but instructions inreferences/modes/interpret.mdandreferences/modes/xray.mdtell the agent to treat these fields as its primary fact source without explicit warnings to ignore instructions embedded in the data. - Capability inventory: The skill possesses the ability to execute Python scripts via the
Bashtool and write files to disk (using the--saveflag in the normalizer). - Sanitization: Extracted text undergoes basic formatting (whitespace normalization, cleaning) but lacks specific filtering or sanitization for malicious prompt sequences.
- [EXTERNAL_DOWNLOADS]: Fetches paper metadata and text from well-known academic services such as
arxiv.org,alphaxiv.org, andapi.crossref.org. It also downloads PDFs from user-provided URLs for text extraction. - [DATA_EXFILTRATION]: Reads local PDF and text files specified via the
--sourceargument to extract content for normalization. - [COMMAND_EXECUTION]: Executes bundled Python scripts (
normalize_paper.py) via theBashtool to normalize paper data and perform text extraction. It also dynamically loads a local helper script (scripts/xray_io.py) usingimportlibfor PDF processing tasks.
Audit Metadata