lit-search
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted paper titles and abstracts from an external API and interpolates them into LLM prompts during the screening and annotation phases.\n
- Ingestion points: External bibliographic metadata enters the agent context through the OpenAlex API (https://api.openalex.org) and is stored in
data/database.json.\n - Boundary markers: Prompt templates in
phases/phase2-screening.mdandphases/phase5-annotation.mdlack explicit delimiters (such as XML tags or unique separators) to distinguish academic content from operational instructions.\n - Capability inventory: The skill allows the agent to perform network requests using the
requestslibrary, write to the local filesystem, and executegitoperations.\n - Sanitization: No sanitization, escaping, or validation of the fetched strings is performed before they are passed to the model for classification or data extraction.\n- [EXTERNAL_DOWNLOADS]: The skill programmatically fetches bibliographic data and open-access PDF links from well-known and legitimate academic services, including the OpenAlex API and the Unpaywall API.\n- [COMMAND_EXECUTION]: The skill utilizes Git commands (
git add,git commit) to maintain a versioned history of the literature database and search memos as the research process evolves.
Audit Metadata