literature-search
Fail
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains a command in
SKILL.mdthat attempts to read a sensitive API key from a hardcoded local file path:/Users/lingzhi/Code/keys.md. This practice exposes local credentials and assumes a specific filesystem structure. - Evidence:
grep S2_API_Key /Users/lingzhi/Code/keys.mdin the Semantic Scholar script section. - [COMMAND_EXECUTION]: The instructions utilize shell command substitution and pipes (
$(grep ... | cut ...)) to handle credentials, which is an unsafe pattern for managing sensitive data in agent instructions. - [DATA_EXFILTRATION]: The skill performs network requests to well-known academic services including
arxiv.org,api.crossref.org, andapi.openalex.org. While these are legitimate for the skill's purpose, the inclusion of a credential-harvesting command creates a potential path for exfiltration. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data (paper titles, abstracts, and LaTeX source) from external APIs and provides the agent with file-writing capabilities.
- Ingestion points: Academic metadata and source files fetched via
scripts/download_arxiv_source.py,scripts/search_crossref.py, andscripts/search_openalex.py. - Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands within the processed academic content.
- Capability inventory: The skill performs file system writes (
results_s2.jsonl,merged.jsonl,references.bib, and thearxiv_papers/directory). - Sanitization: Minimal.
scripts/search_crossref.pyperforms basic HTML tag stripping from abstracts, but no comprehensive sanitization of LaTeX or metadata content is present.
Recommendations
- AI detected serious security threats
Audit Metadata