literature-review
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to ingest and process untrusted data from external sources.
- Ingestion points:
scripts/search_databases.pyreads JSON files containing search results from literature databases.scripts/verify_citations.pyfetches metadata from external APIs (CrossRef and doi.org) based on DOIs found in text. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the formatting logic.
- Capability inventory: Both scripts can write files to the local system (
scripts/search_databases.pyvia--outputandscripts/verify_citations.pywhich automatically saves a JSON report). They also perform network operations (HTTP GET/HEAD requests). - Sanitization: The scripts perform basic parsing and formatting but do not sanitize the content for potential prompt injection markers (e.g., instructions hidden in abstracts or titles).
- Data Exposure & Exfiltration (LOW): The
scripts/verify_citations.pyscript makes network requests todoi.organdapi.crossref.org. While these are legitimate academic services, the script sends a User-Agent string. There is no evidence of sensitive local file access or exfiltration of credentials.
Audit Metadata