research-lookup
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/generate_schematic.pyexecutes a secondary internal Python scriptgenerate_schematic_ai.pyusing thesubprocess.runmethod. This is used for delegating image generation tasks and follows best practices by using a list-based command structure to prevent shell injection. - [EXTERNAL_DOWNLOADS]: The skill interacts with external APIs at
api.parallel.aiandopenrouter.aito perform research lookups and generate scientific schematics. These are documented external services essential to the skill's operation. - [INDIRECT_PROMPT_INJECTION]: The schematic generation tool interpolates user-provided descriptions directly into the prompt used by the AI reviewer model in
scripts/generate_schematic_ai.py. While this creates an indirect injection surface, the impact is limited as the reviewer's output is used only for quality scoring and critique within a controlled workflow. - Ingestion points: The
promptargument inscripts/generate_schematic.pyandscripts/generate_schematic_ai.py. - Boundary markers: None present in the interpolation of user input into the reviewer prompt.
- Capability inventory: File system write access (for saving images), network access (for API calls), and local script execution via
subprocess. - Sanitization: No specific sanitization or filtering is applied to the user-provided prompt before interpolation.
Audit Metadata