self-review
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted text from external PDF and LaTeX files and incorporates it into the agent's reasoning workflow. (1) Ingestion points: Files passed via $ARGUMENTS are processed by extract_pdf_text.py and parse_pdf_sections.py. (2) Boundary markers: The workflow lacks explicit delimiters or instructions to ignore embedded commands within the extracted paper text. (3) Capability inventory: The skill uses local scripts to read file content and perform font-based parsing. (4) Sanitization: Extracted text is not sanitized or escaped before being passed to the reviewer personas.
- [COMMAND_EXECUTION]: The skill executes shell commands to run Python scripts using user-supplied arguments. Evidence: SKILL.md shows examples of invoking scripts with user-controlled filenames, which presents a command injection surface if the environment does not properly escape these arguments.
Audit Metadata