peer-reviewer
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted external data from manuscripts and Zotero full texts, creating a surface for indirect prompt injection. Maliciously crafted documents could attempt to influence the agent's behavior during analysis or synthesis phases. \n
- Ingestion points: Local manuscript files read in
phases/phase0-intake.mdand Zotero full texts retrieved inphases/phase1-retrieval.md. \n - Boundary markers: None; the skill does not use specific delimiters or include instructions to ignore embedded commands within the ingested texts. \n
- Capability inventory: Writing to local files (
reviews.md,synthesis-memo.md), in-place modification of the manuscript file, and shell command execution via Git. \n - Sanitization: None; text content is processed directly for thematic and theoretical analysis. \n- [COMMAND_EXECUTION]: The skill utilizes local
gitcommands (git add,git commit) to track revisions and maintain version history. These commands use predefined commit messages and target specific files, minimizing the risk of arbitrary command execution. Evidence found inSKILL.mdandphases/phase5-revision.md. \n- [EXTERNAL_DOWNLOADS]: The skill documentation references an external Zotero MCP server hosted on GitHub as a prerequisite for literature retrieval. This reference is documented neutrally as a dependency on a well-known service for intended functionality. Referenced inSKILL.md.
Audit Metadata