Getting Started with Research Superpowers
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external content from scientific databases (PubMed and Semantic Scholar). This creates a significant risk surface because the agent also has the capability to delete files through the 'cleaning-up-research-sessions' workflow and make network requests. An attacker could embed instructions in a paper's abstract to manipulate the agent's file system or network activities. • Ingestion points: searching-literature, evaluating-paper-relevance, finding-open-access-papers. • Boundary markers: None identified in documentation. • Capability inventory: File deletion (cleanup), network access (APIs), local command execution. • Sanitization: No sanitization or filtering is mentioned.
- Command Execution (MEDIUM): The skill documentation explicitly instructs the agent to execute a local bash script
./scripts/find-skillsfor functionality discovery. - External Downloads (LOW): The skill connects to non-whitelisted domains including eutils.ncbi.nlm.nih.gov and api.semanticscholar.org to retrieve data.
Recommendations
- AI detected serious security threats
Audit Metadata