eino
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides tools that execute arbitrary system commands. Specifically, the bash tool implemented in adk/multiagent/integration-excel-agent/tools/bash.go and adk/multiagent/deep/tools/bash.go takes strings generated by the LLM and runs them directly in a bash shell using exec.CommandContext.
- [REMOTE_CODE_EXECUTION]: The python_runner tool found in adk/multiagent/integration-excel-agent/tools/python_runner.go and adk/multiagent/deep/tools/python_runner.go allows for the dynamic execution of Python code. It extracts code from the LLM's response, writes it to a temporary file on disk, and executes it via the system's Python interpreter.
- [EXTERNAL_DOWNLOADS]: A gitclone tool in quickstart/eino_assistant/pkg/tool/gitclone/gitclone.go enables the agent to perform git clone and git pull operations on arbitrary remote repository URLs provided at runtime. Additionally, some examples configure MCP servers using npx to download and execute packages from the NPM registry.
- [COMMAND_EXECUTION]: The open tool in quickstart/eino_assistant/pkg/tool/open/open.go uses os/exec to invoke system-level commands like xdg-open (Linux), open (macOS), or rundll32 (Windows) to open arbitrary file paths or web URLs.
- [PROMPT_INJECTION]: As a framework assistant, the skill has a significant surface for indirect prompt injection. Malicious instructions could be embedded in documentation or external data being processed by agents developed using these patterns, potentially leading to unauthorized tool usage.
Recommendations
- AI detected serious security threats
Audit Metadata