academic-writer
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requests
shell:execpermissions to perform its tasks. It usessubprocess.runto execute thelatexmksystem utility for PDF generation. This behavior is expected for its primary purpose but grants the agent the ability to run external binaries. - [DATA_EXPOSURE]: The tools
read_referenceandscan_templateinscripts/writer_tools.pyprovide read access to the local file system. This allows the agent to ingest the contents of provided files (including.docx,.txt, and.tex) into its processing context. - [PRIVILEGE_ESCALATION]: The setup instructions in
SKILL.mdrequire the user to runsudocommands to install the LaTeX distribution (texlive-full) and compilation tools. While standard for environment setup, this involves high-privilege system modifications. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a broad vulnerability surface for indirect prompt injection via untrusted data ingestion.
- Ingestion points: The
read_referencefunction inscripts/writer_tools.pyreads content from user-provided files (e.g., notes or draft documents), andscan_templatereads the headers of LaTeX files in the directory. - Boundary markers: No markers or delimiters are used to separate external content from the agent's instructions.
- Capability inventory: The skill has file-writing capabilities (
write_latex_content) and command execution capabilities (compile_pdfinvokinglatexmk). - Sanitization: There is no evidence of sanitization or filtering of the content read from files before it is passed back to the LLM context, allowing potentially malicious instructions embedded in documents to influence agent behavior.
Audit Metadata