research
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
scripts/research.shfile usesnpx -y mcp-remote https://mcp.tavily.com/mcpto initiate an OAuth flow. This method downloads and executes a package from the npm registry at runtime. - [DATA_EXFILTRATION]: The script recursively scans the
~/.mcp-auth/directory for*_tokens.jsonfiles. This directory is a common storage location for sensitive authentication credentials. While the script filters for tokens issued by Tavily, the broad scanning of a credential directory is a security risk. - [COMMAND_EXECUTION]: The skill executes multiple shell commands to manage files, process data using
jqandsed, and perform network operations viacurlto external endpoints. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes content from external websites via the Tavily API. This data is returned to the agent without sanitization or boundary markers. • Ingestion points: Research results from the Tavily API in
scripts/research.sh. • Boundary markers: None identified in the script or instructions. • Capability inventory: The script has permissions to read sensitive local directories, perform network requests, and write to the file system. • Sanitization: No content sanitization or instruction-ignoring delimiters are applied to the external data before it is passed to the agent.
Audit Metadata