deep-research
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions (SKILL.md) and documentation (api-reference.md) direct the agent to retrieve API keys from a sensitive local file path at /Users/lingzhi/Code/keys.md. Accessing files named 'keys' or 'credentials' is a significant credential exposure risk.
- [COMMAND_EXECUTION]: The skill workflow relies on executing multiple local Python scripts via hardcoded absolute paths, including an external tool located at /Users/lingzhi/Code/documents/tool/paper_finder/paper_finder.py and various scripts in the ~/.claude/skills/deep-research/scripts/ directory.
- [PROMPT_INJECTION]: The skill processes untrusted PDF data from the internet, which introduces a surface for indirect prompt injection. 1. Ingestion points: download_papers.py (downloads PDFs) and extract_pdf.py (extracts text). 2. Boundary markers: None identified in the processing scripts. 3. Capability inventory: Subprocess execution, network access to research APIs, and file system write access. 4. Sanitization: No specific validation or filtering of extracted PDF text to prevent the agent from following embedded instructions.
- [EXTERNAL_DOWNLOADS]: The skill fetches paper metadata and PDF files from well-known research platforms including Semantic Scholar (api.semanticscholar.org), arXiv (export.arxiv.org), and ar5iv (ar5iv.labs.arxiv.org).
Recommendations
- AI detected serious security threats
Audit Metadata