research
Warn
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands (e.g.,
test -e <path>,rg -n "<table_name>") in Phase 0 using placeholders populated from previous workflow steps. If these variables are not sanitized, they could be exploited for command injection.\n- [COMMAND_EXECUTION]: Phase 5 uses the GitHub CLI (gh issue create) to file research spikes. The command arguments, such as the issue title and labels, are derived from technical feature names which could potentially manipulate command execution if they contain shell metacharacters.\n- [DATA_EXFILTRATION]: Whenspike-issuestorage mode is selected, the skill exports a 'Research Document' to GitHub as an issue. This document contains repository-specific data, including dependency versions, file paths, and implementation patterns, which are transferred to an external service.\n- [EXTERNAL_DOWNLOADS]: Phase 4 involves fetching documentation and migration guides from external URLs via web search. This introduces third-party content into the agent's context and represents a network-based dependency on external information.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. \n - Ingestion points: Phase 4 fetches external library documentation and Phase 0 reads dependency manifests.\n
- Boundary markers: None identified in the instructions to separate external data from system instructions.\n
- Capability inventory: The skill can write files to the
~/.claude/research/directory and create GitHub issues using theghtool.\n - Sanitization: No evidence of input validation or escaping for external content before it is processed or used in shell commands.
Audit Metadata