citation-management
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The SKILL.md documentation explicitly directs the agent to retrieve an API key by reading a specific sensitive file path at
/Users/lingzhi/Code/keys.md. Accessing hardcoded local credential stores is a high-risk pattern that exposes the location and structure of the user's secrets.\n- [COMMAND_EXECUTION]: The search example in SKILL.md provides a complex shell command string using command substitution ($(...)) and text processing utilities (grep,cut,tr) to extract secrets. Instructing an agent to perform programmatic credential extraction via shell pipes is a dangerous practice.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted content from LaTeX documents to generate automated actions.\n - Ingestion points: The
harvest_citations.pyscript reads the content of user-provided.texfiles to identify factual claims.\n - Boundary markers: No delimiters or instructions are present to ensure the agent ignores malicious instructions that might be embedded within the LaTeX source.\n
- Capability inventory: The skill enables the agent to read/write local files, execute Python scripts, and make network requests to the Semantic Scholar API.\n
- Sanitization: While the script uses URL encoding for search queries, there is no validation or filtering of the text extracted from the LaTeX file before it is used to drive the agent's iterative harvesting logic.
Recommendations
- AI detected serious security threats
Audit Metadata