literature-review
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill exhibits an indirect prompt injection surface (Category 8) inherent to literature review tools.
- Ingestion points:
scripts/search_databases.pyingests and parsesresults.jsonfiles;scripts/generate_pdf.pyingests and processes Markdown files. - Boundary markers: Absent. The scripts do not use specific delimiters or instructions to the LLM to ignore embedded commands within the ingested academic data.
- Capability inventory:
scripts/generate_pdf.pycan execute system commands (pandoc,xelatex) and read/write local files;scripts/verify_citations.pyperforms network operations. - Sanitization: No sanitization or escaping is applied to citation metadata or search results before they are formatted into Markdown, BibTeX, or PDF, which could allow an attacker to embed malicious LaTeX or Markdown instructions in a research paper's metadata.
- Command Execution (LOW):
scripts/generate_pdf.pyutilizessubprocess.runto call external binaries. While it correctly uses list-based arguments to prevent shell injection, the execution of complex tools likepandocandxelatexon untrusted input carries a baseline risk of exploitation through document-based attack vectors (e.g., LaTeX\inputcommands). - External Downloads (SAFE):
scripts/verify_citations.pymakes outbound HTTP requests to academic metadata providers (doi.organdcrossref.org). These are legitimate, purpose-specific API calls and do not involve downloading or executing remote code.
Audit Metadata