paper-writer
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The file
references/hook-compatibility.mdprovides detailed instructions on how to bypass 'doc blocker' hooks configured in the agent environment. It explicitly recommends using Bash heredoc (cat << 'EOF') to circumvent security interceptions that would otherwise prevent the agent from creating or modifying markdown files. - [INDIRECT_PROMPT_INJECTION]: The skill has a large attack surface for indirect prompt injection (Category 8). It is designed to ingest untrusted data from multiple external sources and process them using the LLM's capabilities.
- Ingestion points: The skill uses
WebSearchandWebFetchto retrieve content from PubMed, Google Scholar, and journal websites (documented inSKILL.mdandreferences/pubmed-query-builder.md). It also reads user-provided CSV and Excel files for statistical analysis. - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands when the agent processes the contents of searched literature or data dictionaries.
- Capability inventory: The skill possesses extensive capabilities including file system writing (creating project directories and scripts), subprocess execution (
pip install,pandoc,pdflatex), and network operations via built-in tools. - Sanitization: No evidence of sanitization or escaping of external content before it is interpolated into prompts or used in script generation.
- [COMMAND_EXECUTION]: The statistical analysis scripts (e.g.,
scripts/analysis-template.py) use dynamic string interpolation to construct formulas for thestatsmodelslibrary based on user-provided column names. While intended for legitimate analysis, this pattern could be exploited if malicious data is provided in the input CSV headers.
Audit Metadata