research
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFE
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill has an inherent attack surface for indirect prompt injection as its primary function is to ingest and process untrusted data from external web sources. This risk is effectively managed through the following architecture:
- Ingestion points: Data enters the system during 'Wave 1: Broad Sweep' and 'Wave 2: Deep Dive' through various search and scraping MCP tools specified in
SKILL.md. - Boundary markers: The skill enforces strict output formatting using predefined templates and structured JSON/Markdown schemas as detailed in
references/output-formats.mdandreferences/dashboard-schema.md. - Capability inventory: The skill executes local scripts via
!uv run pythonand maintains a dedicated storage directory in~/.claude/research/. APreToolUsehook inSKILL.mdexplicitly blocksEditoperations to prevent data-driven instructions from modifying the user's workspace. - Sanitization: The
scripts/finding-formatter.pyutility employshtml.escapeto sanitize data when generating HTML-based dashboard outputs. - [COMMAND_EXECUTION]: The skill uses
!uv run pythonto execute its internal utility scripts (journal-store.py,finding-formatter.py, etc.). These executions are limited to the skill's own local scripts and are used for data management and formatting, representing standard functionality for complex tools. - [DATA_EXPOSURE]: The
scripts/journal-store.pyscript manages research journals in the user's home directory. Security is maintained through a strict containment check in the_resolve_pathfunction, which prevents directory traversal by ensuring all file operations remain within the~/.claude/research/directory.
Audit Metadata