Skills
skills/insight68/skills/deep-research/Gen Agent Trust Hub

deep-research

Pass

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it ingests untrusted data from the internet to synthesize research reports.
  • Ingestion points: Research data is gathered from the web via WebSearch and WebFetch tools during the RETRIEVE phase (documented in reference/methodology.md).
  • Boundary markers: The skill instructions in SKILL.md do not prescribe the use of specific delimiters or boundary markers to isolate retrieved web content from system instructions.
  • Capability inventory: The skill utilizes the Task tool for sub-agent spawning, performs file read/write operations via Write and Edit tools, and executes local Python scripts.
  • Sanitization: No explicit sanitization or filtering of external content is mentioned before it is synthesized into the report or passed to sub-agents.
  • [COMMAND_EXECUTION]: The orchestration engine (research_engine.py) and various workflow phases invoke several local Python scripts to perform critical tasks. This includes validate_report.py for quality checks, verify_citations.py for DOI/URL verification, and md_to_html.py for document conversion. The skill also executes system commands (e.g., open) to display generated reports to the user.
  • [EXTERNAL_DOWNLOADS]: The citation verification utility (scripts/verify_citations.py) performs outbound network requests using the urllib library. It contacts doi.org to resolve scholarly metadata and makes HEAD requests to arbitrary URLs found in the research bibliography to verify their status. While necessary for the research use case, this allows the skill to ping external servers based on content found during web searches.
  • [REMOTE_CODE_EXECUTION]: The 'Auto-Continuation System' implements recursive sub-agent spawning using the Task tool. The main agent constructs dynamic prompts for these sub-agents, which include instructions to read the existing report—content that is derived from untrusted web sources—to maintain 'narrative flow'. This creates a path where injected content in the research data could potentially influence the sub-agent's execution environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 28, 2026, 08:21 PM