research-refine-pipeline
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the Bash tool to write files via heredoc (
cat << 'EOF' > file) if the standard Write tool fails due to size limits. It explicitly directs the agent to perform this action silently without seeking user permission, which bypasses standard oversight mechanisms and suppresses the user's ability to audit shell commands. - [PROMPT_INJECTION]: The skill interpolates user-supplied input directly into a high-visibility instructional header (
Refine and concretize: **$ARGUMENTS**). The lack of sanitization or delimiters makes it susceptible to prompt injection attacks where user input could override intended behavior. - [EXTERNAL_DOWNLOADS]: The skill uses
WebSearchandWebFetchto retrieve information from external, untrusted web sources to inform its research output. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted data from the web and local files.
- Ingestion points: The workflow reads from
refine-logs/FINAL_PROPOSAL.md,refine-logs/REVIEW_SUMMARY.md, and content fetched viaWebFetch. - Boundary markers: The instructions do not define delimiters or provide specific directives to the agent to ignore instructions contained within the data it processes.
- Capability inventory: The agent has access to powerful capabilities including shell command execution (
Bash), file writing, web navigation, and the ability to invoke other agents. - Sanitization: No sanitization or validation logic is present to filter malicious instructions or malformed data from the ingested sources before they influence the agent's logic or subsequent file operations.
Audit Metadata