lab-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is highly vulnerable to indirect prompt injection. It ingests untrusted data from PubMed and medRxiv (abstracts and titles) and passes this content directly to sub-agents for analysis and report generation.
- Ingestion Points:
review-marker.mjsfetches external data from PubMed and medRxiv APIs. - Boundary Markers: None identified. The instructions do not specify delimiters or provide 'ignore instructions' warnings for the external content.
- Capability Inventory: The skill has access to
Bash(node *)andTask(sub-agent spawning), allowing it to execute code and perform complex operations based on injected instructions. - Sanitization: None specified. The skill relies on natural language processing of raw abstracts.
- [COMMAND_EXECUTION] (MEDIUM): The skill uses
findto dynamically locate script paths and then executes them usingnode. While the search is limited to the~/.claudedirectory, this pattern is brittle and could be exploited if a malicious file with a matching name is placed in a predictable path. - [DATA_EXFILTRATION] (LOW): The skill accesses a local health database (
health.db). While no direct exfiltration patterns were found, the combination of network access (PubMed) and sensitive database access is a risk factor if an injection occurs.
Recommendations
- AI detected serious security threats
Audit Metadata