draft-review
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted documents and source code that could contain malicious instructions designed to hijack the agent's logic.\n
- Ingestion points: The skill ingests data from external files such as PDFs, TeX, Markdown documents, and source code during Phase 1 ('Document Ingestion').\n
- Boundary markers: There are no explicit boundary markers or instructions to treat the ingested content strictly as data, increasing the risk that the LLM might follow instructions embedded within the paper.\n
- Capability inventory: The skill possesses the ability to read local files, invoke external skills (e.g., 'mistral-pdf-to-markdown'), and delegate tasks to sub-agents via the 'spawn_agent' command using context derived from the untrusted files.\n
- Sanitization: There is no evidence of sanitization, escaping, or filtering of the content extracted from the documents before it is interpolated into prompts for the primary agent or its sub-agents.
Audit Metadata