literature-review
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands (ls, mkdir, cp) to inventory PDF files and organize them within the local file system during the bibliography and synthesis steps.
- [PROMPT_INJECTION]: The skill employs strong imperative language and visual indicators (e.g., '⛔', 'MUST NEVER', 'CRITICAL CONSTRAINTS') to override the agent's default behavior and enforce a specific subagent processing logic.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external PDF files. Malicious content within a PDF could potentially influence the subagent's summary, which is subsequently used by the orchestrator to draft the final manuscript.
- Ingestion points: The agent reads user-provided PDF files from the papers/ directory and context from scope.md.
- Boundary markers: Instructional constraints and emojis are used to separate orchestrator and subagent roles to prevent direct PDF access by the orchestrator.
- Capability inventory: The skill can execute shell commands (ls, mkdir, cp) and spawn subagents via the Task tool.
- Sanitization: The skill lacks explicit sanitization or validation of the data extracted from the PDF files before it is integrated into the synthesis and introduction draft.
Audit Metadata