process-reviews
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from user-provided PDF files.
- Ingestion points: The tool reads reviewer comments directly from external PDF files (
reviews-original.pdf). - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore potentially malicious instructions within the extracted text during the analysis or strategy generation phases.
- Capability inventory: The agent has permissions to write files, edit files, and execute shell commands (
latexmk,mkdir,cp,ls). - Sanitization: The instructions emphasize "verbatim" extraction and explicitly state "Never paraphrase reviewer text," which bypasses sanitization of potentially malicious instructions embedded in the comments.
- [COMMAND_EXECUTION]: The skill uses the
Bash(latexmk*)tool to compile LaTeX documents containing verbatim reviewer comments. - Macro Execution Risk: Malicious LaTeX macros (such as
\write18,\input, or\include) embedded in a reviewer's comment could be executed by the compiler during the document build process. This could lead to unauthorized file reads or arbitrary command execution on the host system depending on the environment configuration. - [CREDENTIALS_UNSAFE]: The skill documentation references the requirement for a
SCOPUS_API_KEYto query the Elsevier Serial Title API. While the key is not hardcoded in the provided file, the protocol indicates that the agent will use this credential for network operations.
Audit Metadata