autoresearch
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates the configuration of persistence mechanisms, specifically a 10-minute cron job for OpenClaw or a
/loopcommand for Claude Code, to ensure the agent runs indefinitely without human intervention. - [PROMPT_INJECTION]: Contains instructions that direct the agent to override standard confirmation protocols, specifically telling the agent to "not ask the user for permission or confirmation" and to operate autonomously while the user is away.
- [EXTERNAL_DOWNLOADS]: Instructs the agent to perform runtime installation of third-party Python packages, specifically
semanticscholarandarxiv, to facilitate literature searching. - [DATA_EXFILTRATION]: Directs the agent to send reports and visual data to external communication platforms such as Telegram or WhatsApp in certain configurations.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of external research data which influences the agent's logic and code generation.
- Ingestion points: Files in the
literature/directory populated from Semantic Scholar, arXiv, and web searches via Exa MCP. - Boundary markers: None; the skill lacks delimiters or instructions to treat external research content as untrusted.
- Capability inventory: Includes runtime package installation, persistent shell command execution via loop/cron, and routing to various domain-specific execution skills.
- Sanitization: None; the agent is encouraged to synthesize findings and build a research narrative directly from unprocessed external literature.
Recommendations
- AI detected serious security threats
Audit Metadata