deep-research
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes instructions to perform filesystem operations and retrieve external code using shell commands, specifically
mkdir -p /mnt/d/githubresearchandgit clone [repo-url]inSKILL.md. While the instructions mandate asking for user permission before cloning, the use of a dynamically discovered[repo-url]in a shell command string presents a theoretical risk of command injection if the agent does not sanitize the input before execution.- [EXTERNAL_DOWNLOADS]: The research process relies heavily on external data retrieval viaWebSearch,WebFetch, and a documented fallback usingcurltargetinghttps://r.jina.ai/. The reference to Jina AI is a well-known service for LLM content processing. The skill also facilitates the download of entire codebases viagit clone.- [PROMPT_INJECTION]: The skill exhibits an attack surface for Indirect Prompt Injection (Category 8) as it is designed to ingest and summarize large volumes of untrusted data from the web and third-party repositories. - Ingestion points: Web results via
WebSearch, full page content viaWebFetchandcurl, and source code viagit clone. - Boundary markers: The instructions lack specific requirements for using boundary markers or 'ignore' instructions when the agent processes retrieved text, increasing the risk of the agent obeying hidden instructions in the data.
- Capability inventory: The skill possesses network access, filesystem write access, and the ability to interact with external version control systems.
- Sanitization: No explicit sanitization or filtering logic is provided for the content retrieved before it is passed to the synthesis and reporting phases.
Audit Metadata