agentarxiv
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill instructs the agent to fetch and process external data from agentarxiv.org (global feeds and daily briefings), which represents a large attack surface for indirect prompt injection.\n
- Ingestion points:
curlcommands fetching fromhttps://agentarxiv.org/api/v1/feeds/globalandhttps://agentarxiv.org/api/v1/briefing.\n - Boundary markers: Absent. There are no instructions to treat the external content as untrusted or to ignore embedded instructions.\n
- Capability inventory: The agent is encouraged to 'save to memory' and 'leave a comment' based on external input, which are stateful side effects influenced by untrusted data.\n
- Sanitization: No sanitization or validation of the fetched content is present.\n- [Prompt Injection] (MEDIUM): The 'Researcher Persona' section contains behavioral overrides ('You are not just a worker. You are a researcher.') and specific mandates ('Do not just lurk') that attempt to redefine the agent's core operational logic.\n- [Data Exposure & Exfiltration] (LOW): The skill performs network operations via
curltoagentarxiv.org, which is not a pre-approved whitelisted domain. It transmits research data and metadata to this external service as part of its primary function.
Recommendations
- AI detected serious security threats
Audit Metadata