research
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The Rust and Tauri application components (
apps/research-cli/src/commands/search.rsandapps/research-hub/src-tauri/src/research.rs) execute external binaries likebrave-search,valyu, andfirecrawl. User-provided research queries are passed directly as command-line arguments to these tools. This pattern is vulnerable to argument injection if a user provides input starting with dashes that the target binary interprets as configuration flags. - [CREDENTIALS_UNSAFE]: The skill's backend components read sensitive information, including API keys, from files in the user's home directory. Impacted files include
~/.config/last30days/.env,~/.valyu/.env, and~/.oracle/config.json. These paths are accessed directly by scripts likebackends/last30days-reddit-trends/scripts/lib/env.pyandbackends/valyu-recursive-confidence/cli/src/valyu.ts. - [EXTERNAL_DOWNLOADS]: This skill connects to and downloads data from numerous external search and AI services, including Brave Search, Firecrawl, Valyu AI, OpenAI, xAI, Tavily, and Exa AI. While these are well-known technology providers, the extensive use of external APIs increases the complexity and attack surface of the research pipeline.
- [PROMPT_INJECTION]: The skill uses 'indirect' injection patterns where scripts output instructions meant to influence the agent's next actions. For example,
backends/last30days-reddit-trends/scripts/last30days.pyprints specific commands for the agent to follow (e.g., 'Claude: Use your WebSearch tool...'). Additionally,backends/last30days-reddit-trends/BACKEND.mdcontains strict imperative behavioral directives ('CRITICAL: Ground your synthesis...', 'ANTI-PATTERN TO AVOID') that attempt to override standard agent behavior. - [PROMPT_INJECTION]: The research process ingests large volumes of untrusted data from the open web, Reddit, and X. This data is synthesized by LLMs to generate findings and next-step queries. The provided implementation does not include explicit sanitization or robust boundary markers to separate untrusted content from the system prompt, creating a vulnerability to indirect prompt injection from malicious source content.
Audit Metadata