arxiv-search
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructions direct the agent to execute a shell command:
python3 [YOUR_SKILLS_DIR]/arxiv-search/arxiv_search.py "your search query". Direct interpolation of a user-provided string into a shell command is a critical security vulnerability. An attacker can use shell metacharacters (e.g., ;, &, |, or backticks) in the search query to execute arbitrary commands on the agent's host system. - [PROMPT_INJECTION] (MEDIUM): Category 8: Indirect Prompt Injection surface. The skill fetches untrusted data (paper titles and summaries) from the external arXiv API. 1. Ingestion points: Data enters via the arXiv API results processed by
arxiv_search.py. 2. Boundary markers: Absent; the skill uses simple blank lines to separate results, lacking robust delimiters to prevent the agent from interpreting result content as instructions. 3. Capability inventory: The agent executing this skill has command execution capabilities as evidenced by the requirement to run the python script via shell. 4. Sanitization: Absent; no sanitization or ignore-instructions headers are described for the external content. - [EXTERNAL_DOWNLOADS] (LOW): The documentation instructs the user to
pip install arxiv. While thearxivpackage is a well-known library, this introduces a dependency on an external source that must be fetched at runtime. Per [TRUST-SCOPE-RULE], this is a low-risk finding as it targets a standard package registry.
Recommendations
- AI detected serious security threats
Audit Metadata