era5-download
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill provides the agent with a file-write capability via the
output_fileparameter inscripts/download_era5.py. An attacker could use indirect prompt injection (e.g., via a malicious data request) to trick the agent into specifying a sensitive path like~/.bashrcor~/.ssh/authorized_keysas the output destination, potentially leading to system compromise or denial of service through file overwriting. - Ingestion points: User-provided parameters for
output_filein the Python script andoutput_filein the programmaticdownload_era5function. - Boundary markers: Absent. There is no validation or sanitization of the output path to ensure it remains within a dedicated data directory.
- Capability inventory: File system write (
result.download(str(output_path))) and directory creation (output_path.parent.mkdir). - Sanitization: Absent. The script uses the provided path directly without checking for path traversal or restricted directories.
- [Data Exposure & Exfiltration] (LOW): The skill requires and handles a
COPERNICUS_API_KEY. While it does not hardcode credentials, it explicitly instructs the agent to use and manage these secrets. - [External Downloads] (LOW): The skill relies on the
cdsapilibrary and makes network requests tohttps://cds.climate.copernicus.eu/api. This is a legitimate service for climate data, but involves external network communication.
Recommendations
- AI detected serious security threats
Audit Metadata