reading-agent
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes local bash scripts (
scripts/pdf-to-md.shandscripts/read-paper.sh) and a Python script (scripts/ingest.py) via theuvenvironment manager. These scripts handle document conversion using thedoclinglibrary. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted text from external PDF and EPUB files. This content is then interpolated into prompts for both the primary agent and 'haiku' sub-agents.
- Ingestion points: External documents are read and converted to markdown via the workflows described in
SKILL.mdand the provided shell scripts. - Boundary markers: The prompt template for sub-agents uses headers but lacks explicit delimiters or specific 'ignore embedded instructions' warnings for the
{markdown_content}block. - Capability inventory: The agent can execute local shell commands, perform file writes to the local filesystem, and spawn sub-agent tasks using the
Task tool. - Sanitization: No input sanitization or content filtering is performed on the text extracted from the academic papers before it is included in the LLM's context.
Audit Metadata