geopandas
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest data from untrusted external sources and has capabilities that could lead to significant side effects if manipulated.
- Ingestion points:
gpd.read_file()(viareferences/data-io.md) accepts remote URLs, S3 buckets, and Azure Blob Storage;gpd.read_postgis()reads from external databases. - Boundary markers: Absent; no instructions are provided to the agent to treat external geospatial metadata or database records as untrusted.
- Capability inventory:
gdf.to_file()allows writing to the filesystem or remote storage;gpd.read_postgis()andgdf.to_postgis()allow execution of SQL and database modifications. - Sanitization: No sanitization or validation logic is provided to prevent SQL injection or malicious data from affecting downstream decision-making.
- External Downloads (LOW): The skill specifies installation of multiple dependencies via
uv pip install. - Evidence:
geopandas,folium,mapclassify,pyarrow,psycopg2,geoalchemy2,contextily,cartopy. - Status: These are standard, well-known geospatial libraries from trusted ecosystems. Per [TRUST-SCOPE-RULE], the risk is downgraded to LOW.
- Command Execution (LOW): Installation instructions use shell commands, which is expected behavior for library-based skills.
Recommendations
- AI detected serious security threats
Audit Metadata