idea-discovery
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads from
~/.claude/feishu.jsonto send automated status 'checkpoints' and 'pipeline_done' notifications to the Feishu platform. Accessing files within the~/.claudedirectory is a security risk as this location often contains sensitive agent configuration, session state, and authentication tokens. - [COMMAND_EXECUTION]: The skill performs autonomous system operations, including running parallel pilot experiments on available GPUs with hard timeouts. It specifically instructs the agent to use Bash to write large files in chunks and to 'not ask the user for permission' if the primary Write tool fails, which encourages silent system modifications and reduces user oversight.
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8). It ingests untrusted data from
RESEARCH_BRIEF.mdand external reference papers (via arXiv or URLs) and uses this content as the primary context for all subsequent phases, including idea generation and experiment planning. - Ingestion points:
RESEARCH_BRIEF.md,REF_PAPER(local PDFs and remote URLs via WebFetch/arxiv skill). - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when processing these external sources.
- Capability inventory: The skill possesses high-privilege capabilities including
Bash(*),Write,Edit, and the ability to trigger otherAgentandSkillworkflows. - Sanitization: No evidence of sanitization, validation, or escaping of external paper content before it is interpolated into generation prompts.
Audit Metadata