arxiv-watcher
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): Indirect prompt injection surface detected in
SKILL.md. The agent fetches research paper abstracts from an external source (ArXiv) and is instructed to parse and summarize them without specific safety constraints or delimiters. - Ingestion points: Data retrieved from
export.arxiv.orgviascripts/search_arxiv.sh(specifically the<summary>and<title>tags). - Boundary markers: Absent. The workflow does not instruct the agent to ignore instructions embedded within the fetched content.
- Capability inventory: The agent has the ability to execute shell scripts (
scripts/search_arxiv.sh) and write/append to local files (memory/RESEARCH_LOG.md). - Sanitization: Absent. External text is directly interpolated into the agent's context and written to a file.
- COMMAND_EXECUTION (SAFE): The skill utilizes a local bash script (
scripts/search_arxiv.sh) to perform network operations viacurl. The implementation is restricted to a specific domain and uses double-quotes around variables, which mitigates simple shell injection attempts.
Audit Metadata