citation-verifier
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill is susceptible to indirect prompt injection because it ingests and acts upon untrusted data from user-provided documents.
- Ingestion points: Document content is read using the
Readtool to extract various citation identifiers. - Boundary markers: No explicit delimiters or instructions are provided to ensure the agent ignores natural language instructions that might be embedded within citation strings (e.g., in a fake DOI or paper title).
- Capability inventory: The skill utilizes
WebFetchandWebSearchto interact with external services based on extracted content. - Sanitization: The skill relies on regular expressions for extraction but lacks sanitization to prevent interpreted instructions from reaching the agent during the report generation phase.
- [Data Exposure & Exfiltration] (LOW): The skill's extraction logic for URLs is broad (
https?://[^\s\])"'<>]+), allowing it to capture and fetch arbitrary links. Although the documentation suggests filtering for academic domains, the logic allows for potential Server-Side Request Forgery (SSRF) or information leakage if a malicious document contains URLs pointing to attacker-controlled servers.
Audit Metadata