deep-research
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill manages a tmux session named 'deep-research' and uses the
send-keystool to execute an external binary at/opt/homebrew/bin/codex. This binary is used with full-auto mode to perform the actual research tasks. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it aggregates untrusted data from the web. Ingestion points: In Phase 5 and Phase 7, the orchestrator reads output files (e.g.,
output/{node_id}/output.md) produced by external web-research agents. Boundary markers: The instructions lack robust markers or instructions to treat the synthesized content as untrusted data. Capability inventory: The orchestrator has access toBash,Write, andEdit, which could be exploited if an injection influences the generation of subsequent shell commands or file operations. Sanitization: There is no evidence of sanitization or validation of the fetched search results before they are processed by the orchestrator. - [COMMAND_EXECUTION]: Employs dynamic bash command generation for directory creation, prompt file management, and polling tmux panes for completion status.
Audit Metadata