paper-workflow
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process academic papers, which are untrusted external data sources.
- Ingestion points: The agent uses
Read,Grep, andGlobtools to load the content of papers provided by the user into its context. - Boundary markers: The instructions lack explicit delimiters or system-level warnings to ignore natural language instructions that might be embedded within the papers being analyzed.
- Capability inventory: The skill has access to high-impact tools including
Bash,Write,Edit,WebFetch, andTask. If an attacker embeds instructions in a paper (e.g., in a LaTeX comment or hidden text), the agent might execute those commands via theBashtool. - Sanitization: There is no evidence of sanitization, escaping, or validation of the paper's content before it is processed or used to generate subsequent tool arguments.
- [Command Execution] (SAFE): The
Bashtool is enabled, which is high-risk. However, in the context of a 'paper-workflow' orchestrator, this is likely intended for file management and running local audit scripts, matching the primary purpose of the skill.
Audit Metadata