alphaxiv
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The script contains a function
_read_zshrcthat opens and parses the user's shell configuration file (~/.zshrc) to extract theALPHAXIV_TOKEN. Reading shell profile files is a high-risk activity as these files often contain sensitive environment variables, aliases, and system credentials beyond the specific token requested. - [COMMAND_EXECUTION]: The
_post_streamfunction inscripts/alphaxiv.pyusessubprocess.runto execute thecurlbinary. This is used to handle text/event-stream responses for theaskcommand. Executing external binaries via subprocess is a sensitive operation that can lead to command injection if input sanitization is bypassed. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from the AlphaXiv API, including paper abstracts, titles, and AI-generated overviews.
- Ingestion points: Paper metadata and summaries are fetched via
_getcalls inscripts/alphaxiv.pyand displayed to the agent. - Boundary markers: Absent. The content retrieved from the API is interpolated directly into the output sent back to the agent without delimiters or warnings to ignore embedded instructions.
- Capability inventory: The skill has capabilities for file system access (reading
~/.zshrc) and subprocess execution (curl) inscripts/alphaxiv.py. - Sanitization: Absent. The script performs no validation or filtering of the text content returned by the API before presenting it to the agent.
Recommendations
- AI detected serious security threats
Audit Metadata