research
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill contains 'Autonomy Rules' in SKILL.md that instruct the agent to 'Never stop to ask permission between searches.' This encourages the agent to bypass user confirmation checkpoints, reducing oversight while it autonomously processes untrusted data from the web.
- [PROMPT_INJECTION]: The skill's workflow is susceptible to indirect prompt injection because it ingests large amounts of untrusted content from the internet.
- Ingestion points: Web content is retrieved via external search scripts and academic papers are fetched via the alphaxiv.sh script.
- Boundary markers: The instructions lack explicit delimiters or warnings to the agent to ignore any instructions embedded within the research sources.
- Capability inventory: The skill possesses the ability to execute shell scripts and synthesize complex reports based on the ingested data.
- Sanitization: There is no evidence of filtering or sanitization of the scraped content before it is processed by the agent.
- [EXTERNAL_DOWNLOADS]: The scripts/alphaxiv.sh script fetches markdown-formatted summaries and paper text from the external domain 'alphaxiv.org' using curl.
- [COMMAND_EXECUTION]: The skill executes several bash scripts located at fixed absolute paths in a specific user directory (e.g., /Users/tothemoon/.claude/skills/exa/scripts/exa.sh), creating a dependency on the integrity and existence of those external files.
- [DATA_EXFILTRATION]: User-provided research queries, paper IDs, and URLs are transmitted to the 'alphaxiv.org' service during the data retrieval process.
Audit Metadata