stata-sep
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The tools
write_dofile,stata_do, andappend_dofile(defined inSKILL.mdandreferences/tools.md) grant the agent the ability to create and run arbitrary Stata code on the host system. This capability can be misused to execute malicious logic if the agent follows instructions from an untrusted source.\n- REMOTE_CODE_EXECUTION (HIGH): Theado_package_installtool (documented inreferences/tools.md) permits downloading and installing packages from external sources like GitHub or SSC. This allows the execution of unverified remote scripts on the user's machine.\n- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection when processing external research data. Evidence Chain:\n - Ingestion points:
get_data_infoinreferences/tools.mdingests untrusted .dta and .csv files.\n - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the recommended system prompts in
references/advanced.md.\n - Capability inventory: Includes
write_dofile,stata_do,read_file, andado_package_install.\n - Sanitization: No sanitization of ingested data before its use in do-files is specified, allowing data to influence code generation.\n- DATA_EXFILTRATION (MEDIUM): The
read_filetool (documented inreferences/tools.md) can be used to access sensitive local files. An agent influenced by malicious input could be tricked into reading files such as SSH keys or environment variables and outputting their contents to the chat.
Recommendations
- AI detected serious security threats
Audit Metadata