deep-research
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its architecture for processing untrusted external data.
- Ingestion points: External data enters the agent's context through search result snippets and titles processed in
scripts/company-gatherers.tsandscripts/web-researcher.ts. - Boundary markers: The report templates in
assets/report-templates/lack specific delimiters or instructions to treat interpolated search data as untrusted, increasing the risk that the agent may follow instructions embedded in web content. - Capability inventory: The skill environment facilitates persistent storage via a local SQLite database (
company_analysis.db) and file system writes viaBun.writein multiple scripts, providing a surface for malicious payloads to persist. - Sanitization: Data extracted from external sources is interpolated directly into markdown and HTML reports without escaping or validation. The
markdownToHTMLfunction inscripts/report-generator.tsis particularly vulnerable to cross-site scripting (XSS) if reports are viewed in a browser or another agent. - [COMMAND_EXECUTION]: The provided utility
scripts/report-generator.tscontains a file path traversal vulnerability in its command-line interface. - The
--templateCLI argument is passed to theloadTemplatefunction and used in apath.joinoperation without sanitization. This allows a maliciously crafted input to bypass intended directory constraints and potentially read arbitrary markdown files on the host system. Although the extension is restricted to.md, this poses a significant data exposure risk. - Remediation: Implement strict validation for the
templateandinputCLI arguments to ensure they remain within authorized directories and match expected file patterns. Use a whitelist for template names to prevent directory traversal.
Audit Metadata