denario
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill recommends installation via
git clone https://github.com/AstroPilot-AI/Denario.gitanddocker pull pablovd/denario:latest. Neither 'AstroPilot-AI' nor 'pablovd' are on the trusted organizations or repositories list, creating a potential supply chain risk. - [COMMAND_EXECUTION] (MEDIUM): The core workflow includes
den.get_results(), which is documented to 'execute computational experiments' and 'run the methodology'. This implies the execution of dynamically generated code or system-level commands based on user-supplied or AI-generated research descriptions. - [REMOTE_CODE_EXECUTION] (LOW): Documentation for Google Vertex AI setup includes
curl https://sdk.cloud.google.com | bash. While this pattern (piping to bash) is high-risk, the source (Google) is trusted, resulting in a downgrade to LOW per [TRUST-SCOPE-RULE]. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). \n * Ingestion points: Processes untrusted external data via
set_data_descriptionand reads external methodology/results files viaset_methodandset_results. \n * Boundary markers: Absent; no delimiters or 'ignore instructions' warnings are provided for interpolated data. \n * Capability inventory: High-impact capabilities including computational execution (get_results), LaTeX generation (get_paper), and a web-based GUI (denario run). \n * Sanitization: No evidence of sanitization or validation of input data before it influences agent behavior or code execution.
Audit Metadata