paper-compilation
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): The
SKILL.mdfile explicitly instructs the agent or user to executesudo apt install texlive-fullfor troubleshooting. Directing the use ofsudois a high-risk pattern that can lead to unauthorized system modification. - Remote Code Execution (HIGH): The skill runs
pdflatexon the input.texfile. LaTeX is an inherently powerful language that, by default, often allows 'shell escape' (executing system commands) or reading/writing arbitrary files on the system. The script does not include the-no-shell-escapeflag or other sandboxing measures to mitigate the risk of malicious.texfiles. - Command Execution (MEDIUM): The
compile_paper.pyscript usessubprocess.runto execute multiple external binaries (pdflatex,bibtex,chktex). While it uses a list for command arguments to prevent simple shell injection, the execution of these binaries on untrusted input remains a security concern. - Indirect Prompt Injection (LOW): The skill processes untrusted
.texdata through an 'Auto-fix' loop inStep 3. An attacker could craft a LaTeX file that produces specific error messages in the logs, which are then parsed by the agent to trigger unintended file modifications or command parameters during thefix_latex_errors.pyphase. - Ingestion points:
paper/main.texand the resultingcompile.log. - Boundary markers: None present; the agent treats log errors as trusted instructions for correction.
- Capability inventory: File read/write via
compile_paper.pyandfix_latex_errors.py; execution of system binaries viasubprocess.run. - Sanitization: None; the script extracts raw error lines and displays them to the agent for processing.
Recommendations
- AI detected serious security threats
Audit Metadata