deep-research-agent
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's workflow depends on executing provided Python scripts (init_research.py and md_to_html.py) using the shell. The instructions direct the agent to pass absolute file paths—often provided by the user—as command-line arguments. This pattern presents a risk of command injection if the agent's execution environment does not adequately sanitize shell arguments containing metacharacters.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its core function of ingesting untrusted data from web searches.
- Ingestion points: Data from external web searches is saved directly to markdown files in the materials/raw/ directory.
- Boundary markers: None are used. The agent is not instructed to use delimiters or ignore embedded instructions when processing gathered information.
- Capability inventory: The skill uses file_write and file_update to manage data and executes local scripts via python for project setup and HTML rendering.
- Sanitization: No sanitization or validation of the scraped content is performed before it is incorporated into the report.md or converted to HTML. This could lead to the agent following malicious instructions hidden in search results or the generation of malicious HTML output if the markdown library is used.
Audit Metadata