design-agent
Warn
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill documents how to enable 'allow_code_execution' with 'code_execution_mode' set to 'unsafe', which allows the agent to execute generated code directly on the host operating system rather than in a containerized environment.- [REMOTE_CODE_EXECUTION]: The reference material provides patterns for creating custom tools using Python that can perform arbitrary operations, such as database searches or web fetching, which are then executed by the agent runtime.- [PROMPT_INJECTION]: The skill describes an architecture vulnerable to indirect prompt injection. \n
- Ingestion points: Agents are configured to use tools like SerperDevTool, ScrapeWebsiteTool, and FileReadTool, as well as knowledge sources like PDFKnowledgeSource to ingest data from external URLs and local files. \n
- Boundary markers: The instructions do not define or require the use of delimiters or specific instructions to ignore embedded commands in the ingested data. \n
- Capability inventory: Agents are granted powerful capabilities including host code execution, network access via scraping tools, and file system access. \n
- Sanitization: While the skill mentions using 'guardrail' functions for output validation, it does not provide mechanisms for sanitizing untrusted inputs before they are processed by the LLM.- [EXTERNAL_DOWNLOADS]: The skill instructions and code examples facilitate fetching content from external sources via tools like ScrapeWebsiteTool and SerperDevTool.
Audit Metadata