paper-digest
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill includes explicit instructions to the agent to treat all parsed content strictly as data and not to execute any instructions found within the papers. This is a positive security practice to mitigate indirect prompt injection risks from processed external files.
- [CREDENTIALS_UNSAFE]: The skill correctly handles the SOMARK_API_KEY by requiring it as an environment variable (SOMARK_API_KEY). It provides specific instructions to the user on how to obtain and set the key safely, while warning against sharing the key in the chat interface.
- [DATA_EXFILTRATION]: Network operations within paper_digest.py are restricted to the vendor's official API domain (somark.tech). These operations are necessary for the skill's primary function of paper parsing and involve sending the user-provided file and the API key to the legitimate service.
- [EXTERNAL_DOWNLOADS]: The Python script uses the aiohttp library for network communication. No external scripts or executables are downloaded or executed from untrusted sources.
Audit Metadata