openalex
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'openalex-skill' package from the NPM registry. This package is a vendor-owned resource corresponding to the skill author 'shiquda'.
- [COMMAND_EXECUTION]: The skill executes the 'openalex' CLI tool to perform academic searches and metadata lookups. This involves standard command execution for a CLI-based tool.
- [PROMPT_INJECTION]: The skill ingests academic metadata and abstracts from the OpenAlex API, which represents an indirect prompt injection surface. -- Ingestion points: Metadata is retrieved through subcommands like 'works search', 'works get', and 'authors search' in SKILL.md. -- Boundary markers: The CLI tool provides structured output formats such as 'summary' and 'markdown' (which uses headings and code blocks) to help the agent distinguish between data and instructions. -- Capability inventory: The skill enables broad read-access to academic metadata via the 'openalex' CLI. -- Sanitization: The CLI reconstructs abstracts from inverted indices but does not explicitly document sanitization of the resulting text for injection patterns.
Audit Metadata