crewai
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The example
CalculatorTooluses theeval()function to process expressions. This allows for arbitrary code execution if an attacker can influence the string passed to the tool through prompt injection. - [COMMAND_EXECUTION]: The skill utilizes the
CodeInterpreterTool, which is designed to execute code generated by the AI agent. This capability can be exploited to run malicious commands if the agent's logic is subverted. - [DATA_EXFILTRATION]: The inclusion of
FileReadToolandDirectoryReadToolallows agents to read from the local filesystem. This poses a risk of sensitive data exposure if the agent is directed to read configuration files, SSH keys, or environment variables. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its data processing patterns.
- Ingestion points: Data enters the context through
ScrapeWebsiteTool(SKILL.md) and variable interpolation in tasks (e.g.,{topic}in SKILL.md). - Boundary markers: None. The task descriptions do not use delimiters or instructions to ignore embedded commands in the interpolated data.
- Capability inventory: The skill features powerful tools including
CodeInterpreterTool,FileReadTool, andeval()-based custom tools. - Sanitization: There is no evidence of filtering or sanitizing content fetched from external websites or user-provided variables before they are processed by the agents.
Audit Metadata