systematic-literature-review
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted metadata, including titles and abstracts, from external academic APIs (OpenAlex, Semantic Scholar, Crossref) which is then used in AI prompts for relevance scoring and content generation. This creates an attack surface for indirect prompt injection if an attacker can influence the metadata in these public databases.\n
- Ingestion points:
multi_query_search.pyandopenalex_search.pycollect data from remote APIs intopapers.jsonlfiles.\n - Boundary markers: The scoring prompt in
references/ai_scoring_prompt.mduses clear section headers to separate instructions from paper data.\n - Capability inventory: The skill invokes local command-line tools like
xelatex,bibtex, andpandocviasubprocess.runcalls in the pipeline runner.\n - Sanitization:
select_references.pyandbuild_reference_bib_from_papers.pyimplement escaping logic for LaTeX special characters to prevent compilation errors and potential injection into the TeX source.\n- [COMMAND_EXECUTION]: The core workflow usessubprocess.runto execute research-related binaries (xelatex,bibtex,pandoc) for converting LaTeX sources into PDF and Word documents. These calls are made within the context of the user's local environment to fulfill the skill's primary purpose.\n- [REMOTE_CODE_EXECUTION]: The scriptscripts/compile_latex_with_bibtex.pyinvokes shell commands usingshell=Trueto configure environment variables for the TeX compiler. While the script usesshlex.quoteto sanitize arguments, this pattern is less secure than direct environment passing and presents a minor risk of command injection if the construction logic is ever compromised.
Audit Metadata