reference-finder
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it incorporates untrusted user data into LLM prompts. \n
- Ingestion points: User-provided research text via
main.pyis passed intoextractor.pyandgenerator.py. \n - Boundary markers: Prompts in
prompts/extraction.txtandprompts/literature.txtlack delimiters (e.g., XML tags or triple quotes) to isolate the{{input_text}}and{{context}}placeholders. \n - Capability inventory: The skill can perform network requests to Gemini/OpenAI APIs (
src/gemini_client.py) and write Markdown files to the local file system (src/reporter.py). \n - Sanitization: No sanitization or safety-filtering is applied to the input text before interpolation. \n- Data Exposure & Exfiltration (SAFE): The skill correctly uses environment variable substitution for API keys in
src/config.py. No unauthorized data exfiltration or sensitive file access was found. \n- Unverifiable Dependencies (SAFE): Therequirements.txtfile specifies standard, reputable academic and Python utility libraries. No suspicious packages or remote code execution patterns (e.g., piped bash scripts) were identified. \n- Metadata Poisoning (LOW): The skill includes internal documentation (tests/bug_reports.md,qa_status.md) which admits the code is non-functional and inconsistent with itsREADME.mdclaims. While not a direct security exploit, this metadata deception affects the perceived capability of the agent.
Audit Metadata