cnki-journal-search
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's instructions for executing browser scripts are vulnerable to script injection.
- Evidence: Step 2 uses a JavaScript template
const query = "QUERY_HERE";and instructs the agent to replace the placeholder with the search term. - Risk: A crafted search term containing quotes and semicolons could break the string literal and execute arbitrary JavaScript in the browser context where the tool runs.
- [EXTERNAL_DOWNLOADS]: The skill performs automated navigation to an external service.
- Evidence: Step 1 uses
mcp__chrome-devtools__navigate_pageto accesshttps://navi.cnki.net/knavi. - Context: This is a legitimate interaction with the CNKI academic database for the purpose of the skill.
- [DATA_EXFILTRATION]: The skill extracts and returns content from the target website.
- Evidence: The script in Step 2 parses the DOM and returns journal metadata including names, ISSNs, and impact factors to the agent.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection from the web content it processes.
- Ingestion points: Web content is extracted via
document.body.innerTextandquerySelectorAllin Step 2. - Boundary markers: No delimiters or boundary markers are used to isolate the untrusted data.
- Capability inventory: The skill has the capability to navigate pages and execute browser scripts via Chrome DevTools.
- Sanitization: No sanitization or validation is performed on the extracted journal data before it is returned to the agent context.
Audit Metadata