self-review
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [External Downloads] (LOW): The skill documentation in
SKILL.mdinstructs the user or agent to install external Python packages (pymupdf4llm,pymupdf,pypdf) using pip. While these are common libraries, installing dependencies at runtime is a potential risk vector for supply chain attacks. - [Prompt Injection] (LOW): The skill is susceptible to Indirect Prompt Injection. It ingests data from untrusted academic papers (PDF or LaTeX) and uses that data to drive complex agent reasoning and scoring. An attacker could embed malicious instructions within a paper to manipulate the evaluation or bypass the persona-based review logic.
- Evidence Chain for Indirect Prompt Injection:
- Ingestion points:
extract_pdf_text.pyandparse_pdf_sections.pyread and extract content from user-provided PDF files. - Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are used when the extracted text is passed to the LLM for review.
- Capability inventory: The skill uses the extracted text to perform a multi-turn reasoning process involving three reviewer personas and reflection rounds.
- Sanitization: No sanitization or filtering of the extracted text is performed before it is interpolated into the prompts.
Audit Metadata