marimo
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill's core workflow requires executing Python code within marimo notebooks using the 'marimo export ... --include-outputs' command. This allows execution of any code contained within a notebook file, posing a high risk if notebooks are sourced from untrusted locations.
- COMMAND_EXECUTION (MEDIUM): The skill utilizes system commands and local scripts for notebook validation and metadata extraction, including 'marimo check', 'python3 -m py_compile', and 'scripts/check_notebook.sh'.
- CREDENTIALS_UNSAFE (MEDIUM): Documentation in 'references/sql.md' includes hardcoded placeholder credentials (e.g., user="user", password="password") for database connections.
- PROMPT_INJECTION (MEDIUM): The skill utilizes forceful 'IRON LAW' and 'NOT NEGOTIABLE' directives to strictly govern agent behavior and verification processes, which mimic behavior-override injection techniques.
- INDIRECT PROMPT INJECTION (HIGH): The skill is vulnerable to indirect injection as it ingests and executes content from external .py files. (1) Ingestion points: Reads marimo notebook files in 'SKILL.md' and 'scripts/check_notebook.sh'. (2) Boundary markers: Lacks explicit delimiters for notebook content. (3) Capability inventory: Executes code via 'marimo export' and CLI tools. (4) Sanitization: No content sanitization before execution.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata