tle-developer-flagos
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the AI agent to execute shell commands to build the project and set up the environment. This includes running repository-specific scripts like
./build.sh, using theninjabuild system, and installing packages viapip install -e .. These actions involve executing local scripts and binaries with the agent's permissions. - [REMOTE_CODE_EXECUTION]: The skill contains a complete Python script template (
/tmp/tle_axpy_quickstart.py) and instructs the agent to create and run this file locally. This dynamic script generation and execution bypasses static code analysis and can be manipulated if the generation logic is influenced by untrusted input. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It searches the repository for code snippets and ingests user-defined goals and acceptance criteria, which are then used to drive agent actions. The analysis identified the following risk factors:
- Ingestion points: User-supplied text (Goal, Acceptance) and repository content retrieved via
ripgrep(rg). - Boundary markers: Absent. There are no instructions to use delimiters or specifically ignore instructions found within external data.
- Capability inventory: The agent can execute shell commands, build tools, and generated Python code.
- Sanitization: Absent. There is no mention of validating or escaping content retrieved from the file system or user before processing.
Audit Metadata