literature-review
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process content from external academic sources and Wikipedia, creating a surface for indirect prompt injection attacks where malicious instructions hidden in research papers could influence the agent's behavior.
- Ingestion points: Search results from Semantic Scholar/arXiv and full paper texts retrieved during the research workflow (documented in SKILL.md and review-workflow.md).
- Boundary markers: Absent. The prompts do not instruct the model to ignore potential instructions within the retrieved research data.
- Capability inventory: The skill executes local Python scripts and performs file system operations via its workflow scripts.
- Sanitization: No sanitization or escaping of the ingested text is performed before it is used to 'Synthesize an answer' or 'Generate a Literature Review'.
- [Command Execution] (LOW): The skill executes shell commands using the
pythoninterpreter to run scripts from other skill directories (~/.claude/skills/deep-research/ and ~/.claude/skills/literature-search/). - Evidence: Shell commands in
SKILL.mddirectly interpolate the 'topic' and 'query' arguments into command lines. - Risk: While standard for agent functionality, this pattern relies on the underlying scripts to properly sanitize arguments to prevent shell injection if the LLM generates a malicious query string.
Audit Metadata