openalex-paper-search
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches academic paper metadata and scholarly works from the OpenAlex API (api.openalex.org), which is an established and reputable service for open scholarly data.
- [COMMAND_EXECUTION]: Utilizes curl, bash, and python3 to execute REST API queries and process the resulting JSON data. These commands are necessary for the skill's stated purpose of academic research.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted academic data (paper titles, abstracts) from the OpenAlex API without explicit sanitization. Ingestion points: JSON results from api.openalex.org; Boundary markers: None identified; Capability inventory: Shell access (bash), network access (curl), and file-system writing; Sanitization: Absent. However, the risk is mitigated by the scholarly nature of the source.
- [REMOTE_CODE_EXECUTION]: Automated scans flagged instances where API results are piped to a Python interpreter. These patterns are for formatting JSON output using 'json.tool' or executing provided Python scripts that reconstruct paper abstracts from inverted indexes. These are safe, local data processing operations on content from a well-known academic source.
Audit Metadata