fact-checker-investigator
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute a local Python script (
scripts/verify_citations.py) on user-provided documents, creating a vector for processing untrusted data through a system command.\n- [DATA_EXFILTRATION]: Theverify_citations.pyscript performs local file read operations based on filenames extracted directly from the analyzed document text using a regular expression. Because the script does not validate or sanitize these file paths, it is vulnerable to directory traversal, allowing access to any.mdor.txtfile on the system accessible by the agent process (e.g., using citations like../../sensitive_notes.txt).\n- [DATA_EXFILTRATION]: Indirect Prompt Injection Attack Surface Evidence Chain:\n - Ingestion points: The script reads the primary document file and any secondary files cited within its text (e.g., meeting notes, source documents).\n
- Boundary markers: None. There are no mechanisms or instructions to restrict file access to a specific project directory or to ignore instructions embedded in the cited files.\n
- Capability inventory: The script possesses the capability to read arbitrary files from the filesystem via the
open()function and output their contents to the agent's context.\n - Sanitization: The script checks for specific file extensions (.md, .txt) but fails to perform path normalization or validation to prevent traversal outside the intended directory.
Audit Metadata