inno-idea-eval
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script located at
~/.claude/skills/searching-ai-papers/scripts/search_ai_papers.pyusing the shell. The command includes a--queryparameter populated with strings generated by an LLM in the query extraction step. If the LLM generates a malicious query string (e.g., containing command delimiters or subshell syntax) and the agent executes it directly without sanitization, it could lead to command injection on the local system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted research ideas and search results from external academic databases (arXiv, Semantic Scholar, OpenAlex). These inputs are interpolated into several critical prompt templates used for persona evaluations and meta-reviews.
- Ingestion points: Research ideas are read from
Ideation/ideas/selected_idea.txt, and literature search results are ingested from the output of thesearch_ai_papers.pyscript. - Boundary markers: The skill uses Markdown headers (e.g.,
## Idea to Evaluate,## Available Evidence) and code blocks as delimiters to separate instructions from the data being processed. - Capability inventory: The agent has access to
read_file,write_file, and shell execution (via the paper search script). - Sanitization: There is no evidence of explicit sanitization, character escaping, or validation of the ingested text before it is interpolated into the evaluator prompts.
Audit Metadata