arxiv-doc-builder
Fail
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: Shell command injection vulnerability in
arxiv_doc_builder/fetch_paper.py. The function_detect_file_typeexecutes a shell command usingsubprocess.runwithshell=Trueto execute a command containing a file path derived from the user-suppliedarxiv_id. Because the ID is not properly sanitized for shell metacharacters, an attacker can execute arbitrary code on the system.\n- [COMMAND_EXECUTION]: Path traversal and arbitrary file write vulnerability inarxiv_doc_builder/fetch_paper.py. The_extract_gzip_singlefunction extracts a filename from gzip metadata via thefilecommand and uses it as a write path without validation. A malicious file could use../sequences to write files to unauthorized locations.\n- [PROMPT_INJECTION]: Potential for Indirect Prompt Injection. The skill fetches and converts untrusted academic papers (LaTeX/PDF) into Markdown for agent consumption. There are no boundary markers or sanitization steps to prevent embedded instructions in the papers from influencing agent behavior. Ingestion:fetch_paper.py. Boundary markers: Absent. Capability inventory: Subprocess calls forpandoc,curl,tar,gunzip, andfile. Sanitization: Absent.\n- [EXTERNAL_DOWNLOADS]: Fetches paper materials fromarxiv.org. While this is the intended functionality, the lack of input validation makes the fetching process a vector for other attacks.\n- [DATA_EXFILTRATION]: Insecure HTTP usage inarxiv_doc_builder/convert_latex.py. Thefetch_title_from_arxivfunction queries the arXiv API overhttpinstead ofhttps, which could allow interception of the data.
Recommendations
- AI detected serious security threats
Audit Metadata