figshare-data-download
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script 'scripts/figshare_data_download.py' uses 'subprocess.run(["open", args.url])' to launch the default system browser with a user-supplied URL. There is no validation to ensure the URL points to a legitimate Figshare domain.
- [DATA_EXFILTRATION]: The skill explicitly targets the user's '~/Downloads' directory to find and copy files. It can move files from this sensitive location to any arbitrary 'output' path provided to the script.
- Evidence: 'downloads_dir = Path(args.downloads_dir).expanduser().resolve()' and 'shutil.copy2(pick, output)' in 'scripts/figshare_data_download.py'.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection where a malicious source could provide a specific 'expected_name' to trick the agent into searching for and exfiltrating existing sensitive files (e.g., keys or documents) from the downloads folder.
- Ingestion points: The 'url', 'output', and 'expected_name' parameters enter the script via agent instructions.
- Boundary markers: None observed in the script or prompt instructions.
- Capability inventory: Subprocess execution ('open' command), file system read/write via 'shutil', and directory listing via 'pathlib'.
- Sanitization: No validation or sanitization is performed on the 'url' or 'expected_name' to prevent path traversal or the targeting of non-Figshare files.
Audit Metadata