daily-papers
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
enrich_papers.pyutilizesasyncio.create_subprocess_shellto execute a shell command pipeline that pipescurloutput throughpdftotextinto a local Python script (extract_affiliations.py). Constructing shell commands with dynamic strings (f-strings) is a risky practice that can lead to command injection, although thearxiv_idvariable is constrained by a regular expression. - [EXTERNAL_DOWNLOADS]: The skill fetches paper metadata and PDF files from
export.arxiv.organdhuggingface.co. These are well-known and reputable services for scientific research. Specifically,fetch_and_score.pyretrieves paper lists, whiledownload_note_images.pydownloads figure images or extracts them from PDFs usingpdfimages. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection (Category 8) because it processes untrusted paper titles and abstracts from external sources.
- Ingestion points:
fetch_and_score.pyretrieves content from the arXiv and HuggingFace APIs. - Boundary markers: No explicit boundary markers or isolation instructions were found to separate the untrusted data from the agent's internal logic.
- Capability inventory: The skill can perform file writes (e.g., updating
.history.jsonand markdown files) and execute shell commands (e.g.,curl,pdfimages) as seen inenrich_papers.pyanddownload_note_images.py. - Sanitization: The code performs basic HTML tag stripping and uses regex for extraction, but these measures are insufficient to mitigate sophisticated prompt injection attempts embedded in paper abstracts.
Recommendations
- HIGH: Downloads and executes remote code from: https://arxiv.org/pdf/{arxiv_id}, https://export.arxiv.org/api/query?... - DO NOT USE without thorough review
Audit Metadata