academic-research
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs users to install
arxiv-mcp-serverfrom an untrusted source (blazickjp/arxiv-mcp-server) usinguvornpx. This package is not from a trusted GitHub organization or repository as defined in the security policy. - COMMAND_EXECUTION (LOW): The documented configuration for the ArXiv MCP server involves executing code via
uv tool run, which runs the unverifiable package mentioned above. - DATA_EXFILTRATION (LOW): The skill facilitates network requests to
api.exa.aifor search and synthesis. While consistent with the skill's purpose, this domain is not on the trusted whitelist for network operations. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from external sources (academic papers via
read_paperand web results via Exa) and processes it with a deep analysis prompt without explicit boundary markers or sanitization. - Ingestion points:
mcp__exa__web_search_exa,search_papers, andread_paper(which extracts full text from arXiv PDFs). - Boundary markers: Absent; the skill does not wrap external content in delimiters or provide 'ignore embedded instructions' warnings.
- Capability inventory: File system read/write (via
download_paper/read_paperin~/.arxiv-papers) and network access (via Exa tools). - Sanitization: None detected in the provided instructional workflow.
Audit Metadata