summarise-paper
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted external data (LaTeX source and images) and processes it to generate summaries.
- Ingestion points: Files downloaded from
arxiv.org/src/and extracted into.cache/, as well as images generated from local PDFs. - Boundary markers: Absent. There are no instructions to the agent to ignore or delimit instructions found within the downloaded papers.
- Capability inventory: The agent can execute system commands (
pdftoppm), write files to the filesystem (.cache/,note/), and perform network downloads. - Sanitization: None. The agent reads raw LaTeX source directly.
- COMMAND_EXECUTION (HIGH): The skill instructions include
sudo apt-get install, which constitutes a privilege escalation attempt to acquire administrative rights on the host system. - EXTERNAL_DOWNLOADS (LOW): The skill downloads content from
arxiv.org. While arXiv is a reputable source, the content itself is user-uploaded and unvetted, serving as a carrier for the injection threat described above. Per [TRUST-SCOPE-RULE], the download itself is LOW, but the resulting behavior remains HIGH.
Recommendations
- AI detected serious security threats
Audit Metadata