testing-dags
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on
uvx --from astro-airflow-mcp afto execute its core functionality. The sourceastro-airflow-mcpis not listed as a trusted repository or organization, meaning the agent is downloading and running code from an unverified external provider. - COMMAND_EXECUTION (LOW): The skill uses a CLI tool to manage Airflow environments, including triggering DAGs and inspecting system state. It specifically accesses
af config connectionsandaf config variables, which are likely to output sensitive credentials or environment secrets into the agent's context. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it instructs the agent to read and act upon task logs to fix code. Logs are often influenced by external data or attacker-controlled inputs in a production DAG.
- Ingestion points:
af tasks logscommand output. - Boundary markers: Absent. The instructions do not tell the agent to ignore instructions embedded in logs.
- Capability inventory: The agent has the ability to modify local files (fixing DAGs) and execute shell commands (
afCLI). - Sanitization: Absent. There is no evidence of filtering or escaping log content before the agent processes it.
- REMOTE_CODE_EXECUTION (MEDIUM): By using
uvx, the skill performs just-in-time installation and execution of a remote package. This is a form of remote code execution that bypasses standard static security checks of the skill's local files.
Audit Metadata