csv-data-analyst
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill contains aggressive imperative instructions designed to override the agent's standard conversational flow. Phrases like 'DO NOT ASK', 'DO NOT OFFER OPTIONS', and 'IMMEDIATELY AND AUTOMATICALLY' are used to force the agent into executing code and presenting results without a human-in-the-loop safety check. While intended for user experience, this behavior bypasses default safety guardrails that might otherwise allow a user to catch malicious activity before execution.
- COMMAND_EXECUTION (MEDIUM): The skill's primary function is to execute a local Python script (
scripts/analyze.py) upon receiving external data. While the script is part of the skill, the execution is triggered automatically by untrusted input, creating a surface for potential exploitation if the script itself has vulnerabilities. - INDIRECT PROMPT INJECTION (HIGH): This skill represents a significant indirect injection surface.
- Ingestion points: The skill ingests data from external CSV files via the
summarize_csvfunction and instructions to process any 'uploaded, attached, or referenced' files. - Boundary markers: There are no boundary markers or instructions to treat the CSV content as untrusted data; the agent is instead told to 'Present actionable insights' based on patterns found in the specific dataset.
- Capability inventory: The skill uses Python, pandas, and a custom script (
scripts/analyze.py) to perform its tasks, representing an execution capability. - Sanitization: No sanitization or validation of the CSV content is mentioned. A malicious CSV could contain prompt injection payloads disguised as data rows that the agent may interpret as instructions while generating 'insights'.
Recommendations
- AI detected serious security threats
Audit Metadata