deep_research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core functionality.
- Ingestion points: External data enters the context through
read_url,wechat_article(SKILL.md), and thefile_convertertool which parses user-provided PDFs, Excel, and Word files using thedocument_preprocessor.pyresource. - Boundary markers: No explicit delimiters, 'ignore' instructions, or structural isolation are used when interpolating external content into the agent's working context in
SKILL.mdorresources/summarize.md. - Capability inventory: The skill allows the agent to use
browser_click,browser_fill, andcreate_document(SKILL.md). A malicious website or document could embed instructions to perform actions in the current browser session or manipulate the research report output. - Sanitization: No evidence of sanitization, filtering, or instruction detection exists for ingested external data.
- COMMAND_EXECUTION (MEDIUM): The skill orchestrates the execution of several internal Python utilities and browser automation tools.
- Evidence:
resources/execute.pyandresources/query_generator.pyare executed to process research queries. Thebrowser_*toolset (described inresources/browser_automation.md) performs direct interactions with web elements based on logic that may be influenced by injected instructions from the pages being visited. - EXTERNAL_DOWNLOADS (LOW): The skill requires external libraries and handles complex file formats.
- Evidence:
resources/document_preprocessor.pyutilizes themarkitdownpackage. Whilemarkitdownis from a trusted organization (Microsoft), the act of processing untrusted binary formats (PDF, DOCX) constitutes an attack surface for parser exploits, though downgraded to LOW per [TRUST-SCOPE-RULE].
Recommendations
- AI detected serious security threats
Audit Metadata