latex-document-manager
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to execute system-level commands such as
latexmk,pdflatex,biber, andchktex. While these are required for its primary function, they represent a significant attack surface if malicious code is introduced via LaTeX source files or configuration files like.latexmkrc.\n- [COMMAND_EXECUTION]: Inreferences/latex-compilation-guide.md, the skill defines a diagnostic response template that instructs the agent to suggestsudo tlmgr install {package_name}to the user. Promoting the use ofsudofor package management constitutes an instruction for privilege escalation, which is a high-severity security concern as it encourages bypassing standard system permissions.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its architecture for processing untrusted project files.\n - Ingestion points: The skill reads content from LaTeX files (.tex), bibliography files (.bib), and compilation logs (.log). These files are external data sources that may contain attacker-controlled content.\n
- Boundary markers: The instructions for the sub-agents (Content Examiner, Writing Expert, and Proofreader) do not include the use of delimiters or instructions to ignore embedded commands, allowing malicious text in the files to potentially influence agent behavior.\n
- Capability inventory: The orchestrator has the capability to execute arbitrary shell commands (Bash tool), modify files (Edit/Write tools), and open files (via the macOS
opencommand).\n - Sanitization: There is no evidence of sanitization or validation of the content read from files before it is passed to the AI models for analysis or used to construct commands.
Recommendations
- AI detected serious security threats
Audit Metadata