deep-research
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands including
ls,find, andgrepto programmatically traverse and inspect the local filesystem. - [DATA_EXFILTRATION]: The workflow involves scanning the
~/Documentsdirectory (up to three levels deep) to find and read files such asCLAUDE.md,schema.ts, andARCHITECTURE.md. This broad automated scan of a user's personal documents folder for keyword-matching content presents a risk of exposing sensitive architectural details, private project metadata, and proprietary code patterns. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core functionality of ingesting data from untrusted external sources.
- Ingestion points: Data is fetched from GitHub issues, Reddit threads, Hacker News, product review sites, and various web forums in
SKILL.md(Steps 4 and 5). - Boundary markers: The instructions lack any boundary markers or delimiters to separate untrusted web content from the agent's system instructions.
- Capability inventory: The agent possesses the capability to execute bash commands and read local files (Step 2 in
SKILL.md). - Sanitization: There is no mention of sanitizing, escaping, or validating the external content before it is processed by the agent. A malicious actor could embed instructions in a GitHub issue or forum post that the agent might inadvertently follow while performing its synthesis.
Audit Metadata