getting-started
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXPOSURE]: The skill documents the integration of tools such as
FileReadTool,DirectoryReadTool, andS3ReaderTool, which enable an agent to access and read content from the local filesystem or cloud storage environments.\n- [DYNAMIC_EXECUTION]: The documentation describes theCodeInterpreterTool, which allows an agent to execute arbitrary Python code within a Docker-based sandbox. This capability, while sandboxed, represents a vector for dynamic code execution triggered by agent reasoning.\n- [EXTERNAL_DOWNLOADS]: The guide provides examples of usingnpxto fetch and run remote MCP (Model Context Protocol) servers (e.g.,@modelcontextprotocol/server-filesystem). This involves downloading and executing code from external registries during the setup or execution of the agent flows.\n- [INDIRECT_PROMPT_INJECTION]: The skill establishes a significant attack surface for indirect prompt injection by detailing workflows where agents ingest data from untrusted sources (web search, website scraping, or local files) and subsequently use tools with write or execution permissions.\n - Ingestion points: Untrusted data is ingested via
SerperDevTool,ScrapeWebsiteTool,FileReadTool, andGithubSearchTool(as documented in SKILL.md and tools-catalog.md).\n - Boundary markers: The instructions do not explicitly provide or require the use of delimiters or 'ignore' instructions to prevent the agent from executing commands found within the ingested data.\n
- Capability inventory: The agent has access to tools capable of external data persistence or execution, such as
FileWriterTool,S3WriterTool, andCodeInterpreterTool.\n - Sanitization: The provided workflow does not mention sanitization, validation, or escaping of external content before it is incorporated into the agent's context.
Audit Metadata