wos-search
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes
evaluate_scriptto execute JavaScript that extracts the Web of Science Session ID (SID) from the browser's resource performance entries. It also utilizesinitScriptto modify thenavigator.webdriverproperty, which is a common technique for evading bot detection mechanisms.\n- [DATA_EXFILTRATION]: The skill accesses the active Session ID (SID) of the user's Web of Science account. Although the token is used to authenticate requests to the same origin (webofscience.com), accessing session-level credentials from the browser logs is a sensitive data exposure.\n- [PROMPT_INJECTION]: The skill processes untrusted data (titles, authors, and abstracts) retrieved from an external API, creating a surface for indirect prompt injection.\n - Ingestion points: Data is fetched from the WoS API through the
evaluate_scripttool call in Step 2.\n - Boundary markers: No boundary markers or 'ignore' instructions are used when presenting results in Step 3.\n
- Capability inventory: The skill has the ability to execute arbitrary JavaScript in the browser (
evaluate_script) and navigate to arbitrary URLs (navigate_page).\n - Sanitization: The skill performs basic sanitization by stripping HTML tags from the abstract field using a regular expression.
Audit Metadata