agents-sdk
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill documents 'Code Mode' (references/codemode.md), which generates and executes JavaScript at runtime based on LLM output via the CodeModeProxy. This dynamic execution pattern is inherently risky as it allows for arbitrary logic execution in the Worker environment, which could be exploited through prompt manipulation.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its data ingestion surfaces. It processes untrusted content from emails (references/email.md) and external MCP servers (references/mcp.md), which are then used in AI-driven tool calls. 1. Ingestion points: onEmail (email.md), addMcpServer/tools (mcp.md), onChatMessage (streaming-chat.md). 2. Boundary markers: No explicit delimiters or 'ignore instructions' warnings are present in the provided code examples. 3. Capability inventory: SQLite execution (this.sql), network requests (fetch), and durable workflow management. 4. Sanitization: Relies on basic email parsing via PostalMime but lacks sanitization of message bodies before prompt interpolation.
- EXTERNAL_DOWNLOADS (LOW): The documentation recommends installing several third-party npm packages, including @cloudflare/codemode, @modelcontextprotocol/sdk, and postal-mime. While sourced from a reputable provider, these represent external dependencies that are loaded into the agent environment.
Recommendations
- AI detected serious security threats
Audit Metadata