academic-research
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill presents a high-risk surface for indirect prompt injection. Untrusted data enters the agent's context through web searches and provided URLs (Ingestion Points: Phase 2). There are no delimiters or 'ignore' instructions used to wrap this data (Boundary Markers: Absent). The agent possesses the capability to generate code and execute it via 'typst compile' (Capability Inventory: Phase 4-5, Tools). No sanitization or validation of the ingested paper content is performed (Sanitization: Absent). Maliciously crafted papers could therefore bypass agent instructions or influence the generated Typst output.
- [Command Execution] (MEDIUM): The skill executes 'typst compile' on documents that incorporate information from untrusted sources. This introduces a risk of exploiting the Typst compiler or the host environment if the generated content is manipulated by an adversary via indirect prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata