deep-research
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from the internet via the
fetch_urlsparameter and automated web searches. - Ingestion points: External web content is retrieved in
run.pyvia the_fetch_pagefunction and thetavily_searchtool. - Boundary markers: The skill does not use delimiters (e.g., XML tags or triple quotes) or system instructions to warn the agent that the fetched content may contain malicious commands.
- Capability inventory: The skill requires
bashaccess as defined inSKILL.md, which could be exploited if an injection succeeds. - Sanitization: Content sanitization is limited to stripping HTML tags using regular expressions in
run.py, which does not prevent natural language instruction injection. - [DATA_EXFILTRATION]: The skill performs network operations to non-whitelisted external domains.
- Evidence: In
run.py, the skill usesurllib.request.urlopento fetch arbitrary URLs provided by the user or found during search. - Evidence: It utilizes the Tavily Search API to perform multi-source queries, which involves sending search terms to an external service.
Audit Metadata