arxiv-search
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill retrieves research paper titles and abstracts from the arXiv repository. Because arXiv content is user-submitted, an attacker could embed malicious instructions within a paper's metadata designed to hijack the agent's behavior once the content is processed.
- Ingestion points:
arxiv_search.pyfetches data via thearxivlibrary API. - Boundary markers: Absent. The script concatenates titles and summaries using only simple newlines, making it difficult for an agent to distinguish between the script's output and potentially malicious instructions within the paper text.
- Capability inventory: While this specific script only performs read operations, the resulting text is returned to the agent which typically possesses broader capabilities (file system access, command execution), creating a path for privilege escalation via the agent.
- Sanitization: Absent. No filtering or escaping is performed on the external content before it is passed to the agent.
- [External Downloads] (MEDIUM): The skill depends on the third-party
arxivPython package. The documentation explicitly instructs users to manually install this package via pip, which introduces an unverifiable dependency into the environment.
Recommendations
- AI detected serious security threats
Audit Metadata