arxiv-watcher
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external research papers.
- Ingestion points: Data is fetched from the ArXiv API (XML format) and PDF contents are processed via the
web_fetchcapability as described in the workflow. - Boundary markers: No delimiters or protective instructions are defined in the SKILL.md to isolate the paper's content from the agent's control flow.
- Capability inventory: The skill executes a shell script (
scripts/search_arxiv.sh) and writes data to the local file system (memory/RESEARCH_LOG.md). - Sanitization: There is no evidence of sanitization, validation, or filtering applied to the fetched text before it is presented to the user or recorded in the long-term log.
- [COMMAND_EXECUTION]: The skill utilizes a local shell script resource (
scripts/search_arxiv.sh) provided by the author to perform its primary function of querying the ArXiv API. This represents a command execution surface that relies on the integrity of the included script file.
Audit Metadata