paper-2-web
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires cloning an external, untrusted repository (
https://github.com/YuhangChen1/Paper2All.git) to obtain the necessary scripts for processing academic papers. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute a series of high-risk operations including installing unverified Python packages from the untrusted repository (pip install -r requirements.txt) and running various processing scripts (python pipeline_all.py,python scripts/generate_schematic.py). - [COMMAND_EXECUTION]: The installation guide explicitly instructs the user to use
sudofor installing system dependencies likelibreofficeandpoppler-utils, which introduces a privilege escalation risk. - [CREDENTIALS_UNSAFE]: The skill requires the user to store highly sensitive API keys (
OPENAI_API_KEY,OPENROUTER_API_KEY,GOOGLE_API_KEY) in a.envfile within the cloned repository directory. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core functionality:
- Ingestion points: Reads and processes untrusted LaTeX and PDF files provided by the user (described in
SKILL.mdandreferences/paper2web.md). - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands within the ingested files are present.
- Capability inventory: The skill has broad capabilities including
Bashcommand execution,Writeaccess to the filesystem, and network operations via API calls. - Sanitization: There is no evidence of sanitization or validation logic to prevent malicious instructions embedded in paper content from influencing the agent's behavior during extraction or generation tasks.
Recommendations
- AI detected serious security threats
Audit Metadata