autoresearch
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to automate repository setup, manage python environments (via uv, pip, or conda), and execute autonomous experiments as specified in 'phases/experiment.md'.
- [EXTERNAL_DOWNLOADS]: The agent is instructed to fetch full-text papers from 'arxiv.org' and clone external repositories into a 'third_party/' folder using 'git submodule add'. While ArXiv is a well-known service, the automated cloning of arbitrary repositories found during the 'ground' phase poses a risk.
- [REMOTE_CODE_EXECUTION]: The skill implements and executes experiment code within the workspace. This includes running code generated by the agent or pulled from external git submodules.
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection. 1. Ingestion points: WebFetch of academic papers (phases/ground.md) and cloning external repositories (phases/experiment.md). 2. Boundary markers: The instructions lack explicit delimiters or safety warnings for the agent to ignore instructions embedded in the external content. 3. Capability inventory: The agent has access to tools including Bash, Write, Edit, and Agent as defined in 'SKILL.md'. 4. Sanitization: No evidence of content validation or sanitization of ingested data before it is processed.
Audit Metadata