research
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Command Execution] (MEDIUM): The skill directs the agent to execute a bash command (
gemini) using strings generated at runtime. This pattern is susceptible to shell injection if a generated research prompt contains characters like semicolons, pipes, or backticks that the shell interprets as command separators. - [Indirect Prompt Injection] (LOW): The skill systematically gathers information from untrusted external sources which can influence the agent's behavior.
- Ingestion points: Data is retrieved via the
WebSearchtool and GitHub repository content is read through thedocs-seekerskill. - Boundary markers: Absent; there are no instructions for the agent to use XML-style delimiters or other markers to isolate external data from its own logic.
- Capability inventory: The skill can execute bash commands (
gemini), write files to the local filesystem (reports), and recursively invoke search tools up to five times. - Sanitization: Absent; content fetched from the web is synthesized directly into markdown reports and used to determine subsequent search queries without any escaping or validation.
- [Data Exposure & Exfiltration] (LOW): The skill writes report files to paths constructed from variables such as
<plan-name>and<your-research-topic>. If these variables are influenced by untrusted input and are not sanitized, they could be exploited for path traversal (e.g., using../to write outside the intended reports directory).
Audit Metadata