cnki-search
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a template for browser-based script execution where the
$ARGUMENTSplaceholder is directly inserted into a JavaScript string literal (const query = "YOUR_KEYWORDS";). This construction is vulnerable to script injection, as a malicious input could break out of the string quotes and execute arbitrary JavaScript code within the agent's browser context.\n- [EXTERNAL_DOWNLOADS]: The skill navigates tohttps://kns.cnki.net, which is the official domain for CNKI (China National Knowledge Infrastructure), a well-known and legitimate academic resource.\n- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it extracts and processes untrusted data from an external website.\n - Ingestion points: Paper titles, authors, and journal names are scraped from the search results page via
evaluate_script.\n - Boundary markers: No delimiters or instructions are used to distinguish the extracted external content from the agent's own task instructions.\n
- Capability inventory: The skill uses tools for browser navigation and JavaScript execution, which could be exploited if malicious instructions are followed.\n
- Sanitization: No validation or sanitization is performed on the data extracted from the CNKI website before it is presented to the language model.
Recommendations
- AI detected serious security threats
Audit Metadata