deep-research
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from the web using search and fetch tools (Phase 3). This data is subsequently summarized and passed into the prompts of dynamically spawned sub-agents for report continuation (Phase 8.3). There are no explicit boundary markers or sanitization routines identified that would prevent malicious instructions in retrieved web content from influencing the behavior of these sub-agents. \n
- Ingestion points: Web search results and fetched page content in Phase 3. \n
- Boundary markers: Absent for the summaries of findings included in the sub-agent prompts. \n
- Capability inventory: File system access (write/edit), local script execution, and sub-agent spawning via the Task tool. \n
- Sanitization: None detected for content retrieved from external sources before it is re-processed by the agent or sub-agents.
- [COMMAND_EXECUTION]: The skill executes a suite of local Python scripts (e.g., validate_report.py, verify_citations.py, research_engine.py) to orchestrate the research process, manage session state, and enforce quality standards. These scripts are run locally using the agent's environment.
- [EXTERNAL_DOWNLOADS]: The citation verification logic performs outbound network requests to external domains, including doi.org and various source URLs, to validate the existence and metadata of research references. These requests are informative and do not involve the download or execution of remote code.
Audit Metadata