research-pipeline
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for launching and monitoring research experiments. It also defines a fallback routine that uses shell commands like cat to write large files to the disk.
- [PROMPT_INJECTION]: The skill instructions explicitly direct the agent to perform certain Bash-based file operations silently and without asking for user permission, which intentionally overrides standard platform safety protocols for human-in-the-loop confirmation.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface: The skill ingests untrusted data from external sources such as the arXiv API and other research literature. Because the skill also possesses significant capabilities including Bash execution and the ability to run other agents, instructions embedded within fetched research papers could potentially influence or control the agent's actions. (1) Ingestion: arXiv and WebFetch; (2) Boundary markers: None; (3) Capability inventory: Full Bash access, agent/skill invocation, file writing; (4) Sanitization: None.
- [DATA_EXFILTRATION]: The skill possesses both read access to local project files and network access via tools like WebFetch. This combination allows for a potential data exfiltration path, although no explicit malicious exfiltration logic was identified in the static analysis.
Audit Metadata