tw-research-citation-proofer
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of untrusted user data.
- Ingestion points: User-provided citation strings captured in Step 2 and Step 3 of SKILL.md.
- Boundary markers: None identified; user input is interpolated directly into the formatting diagnosis and correction templates in Step 4.
- Capability inventory: The skill environment permits the use of Bash, Read, and Write tools, which could be abused if an injection succeeds.
- Sanitization: There is no logic provided to sanitize input or instruct the agent to ignore executable instructions within the citation strings.
- [COMMAND_EXECUTION]: The skill uses relative path traversal to access a configuration file (../../tw_edu_concept_alignment.md in SKILL.md) located outside its immediate directory. While this appears to be a vendor-specific coordination file, the use of relative paths for file access is a pattern that can be leveraged for unauthorized data exposure in less restrictive environments.
Audit Metadata