concept-dev
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches and processes untrusted external content from the web during the drill-down and research phases.
- Ingestion points: Untrusted data enters the session via
web_researcher.py(which uses crawl4ai) and the/concept:researchslash command. - Boundary markers: All external content in research artifacts (
WR-xxx.md) is enclosed in<!-- BEGIN EXTERNAL CONTENT -->and<!-- END EXTERNAL CONTENT -->tags. - Capability inventory: The skill utilizes
WriteandReadtools for local workspace management and executes Python scripts for session tracking. - Sanitization:
web_researcher.pyimplements a_sanitize_contentfunction that uses regex patterns to identify and redact injection vectors like role-switching ('system:', 'user:'), instruction overrides ('ignore previous instructions'), and jailbreak keywords. - [EXTERNAL_DOWNLOADS]: The skill relies on the
crawl4aiPython package for its primary research functionality. README.mdand command definitions provide clear instructions for installation from PyPI.web_researcher.pyincludes a mechanism to re-execute itself using apipxvirtual environment interpreter, featuring a prefix validation check to ensure the interpreter path is within the expected user-local directory.- [COMMAND_EXECUTION]: Local Python scripts are used extensively for state and metadata management.
- All scripts (
update_state.py,source_tracker.py,assumption_tracker.py, etc.) include a_validate_pathfunction that usesos.path.realpathand relative path checking to prevent path traversal vulnerabilities when accessing session files.
Audit Metadata