Skills
skills/cruldra/skills/using-deepagents/Gen Agent Trust Hub

using-deepagents

Fail

Audited by Gen Agent Trust Hub on Apr 11, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill facilitates arbitrary command execution through the LocalShellBackend documented in SKILL.md and references/backends.md. This backend provides the agent with an execute tool that can run any shell command with the privileges of the user running the agent. While the documentation includes a warning against production use, it encourages this configuration for local development.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via its 'Skills' and 'Memory' features (documented in references/skills-and-memory.md).
  • Ingestion points: Files specified in the memory and skills lists are loaded into the agent's context (SKILL.md).
  • Boundary markers: The documentation does not specify the use of delimiters or warnings to ignore instructions within these files.
  • Capability inventory: The agent possesses powerful capabilities including arbitrary shell execution (LocalShellBackend) and file system modification (FilesystemBackend tools like write_file).
  • Sanitization: There is no evidence of sanitization or validation for the content loaded from these external paths.
  • [EXTERNAL_DOWNLOADS]: The documentation instructs users to install external software packages including deepagents and various langgraph extension libraries from public registries.
  • [DATA_EXFILTRATION]: The architecture allows for data exfiltration patterns. An agent configured with FilesystemBackend can read sensitive local files, and if used in conjunction with LocalShellBackend or custom network tools, those files can be transmitted to external servers.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 11, 2026, 07:19 AM