cnki-advanced-search
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for the agent to construct and execute shell commands that incorporate user-provided keywords directly as arguments (e.g.,
python3 scripts/cnki_search.py --keywords "{user_input}"). This creates a command injection vulnerability surface where a malicious user could provide input containing shell metacharacters to execute unauthorized code on the host system.\n- [COMMAND_EXECUTION]: The automation workflow requires launching Google Chrome with the--remote-debugging-port=9222flag and usescurlto probelocalhost:9222. This configuration opens the browser's internal session and controls to any other process running on the local machine, which is a significant security risk for the user's browser data and active sessions.\n- [DATA_EXFILTRATION]: Multiple files, including the core instructions and automation scripts, contain hardcoded absolute file paths referencing the author's local home directory (e.g.,/Users/songyiping/...). This leaks sensitive metadata about the local system's user and directory structure to the agent and potentially through its logs.\n- [COMMAND_EXECUTION]: The skill exhibits an Indirect Prompt Injection surface (Category 8):\n - Ingestion points: User-provided research keywords and topics ingested via the agent's interaction loop.\n
- Boundary markers: Absent. The skill does not use delimiters or instructions to ignore commands embedded within the user-supplied data.\n
- Capability inventory: The skill possesses high-privilege capabilities including shell execution (bash), browser automation (Playwright), and local file system access (Excel generation).\n
- Sanitization: Absent. There is no evidence of sanitization, escaping, or validation of user input before it is passed to shell commands in the provided instructions.
Audit Metadata