idea-creator
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from external research papers and local libraries which is then interpolated into prompts for an external LLM without sanitization or boundary markers.
- Ingestion points: WebSearch and WebFetch tools (Phase 1), local papers/ and literature/ directories (Phase 1), and research-wiki/ metadata (Phase 0).
- Boundary markers: Prompt templates in Phase 2 and Phase 4 lack delimiters or instructions to ignore embedded commands in the provided research data.
- Capability inventory: The agent has access to Bash(*), Write, and GPU experiment execution skills.
- Sanitization: No sanitization or validation of the ingested text is performed before it is sent to the brainstorming model.
- [COMMAND_EXECUTION]: Instructions in SKILL.md direct the agent to silently use Bash to write files if standard tools fail, explicitly advising to not ask the user for permission. This reduces user oversight of file system modifications.
- [COMMAND_EXECUTION]: The skill executes a local Python script tools/research_wiki.py to manage research metadata. This script is part of the skill package but represents unverified code execution.
- [EXTERNAL_DOWNLOADS]: The skill performs extensive web searches and fetches content from external research venues and pre-print servers to build a landscape survey.
Audit Metadata