arize-instrumentation
Fail
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to offer and perform modifications to sensitive shell configuration files, specifically
~/.bashrcand~/.zshrc, to persist theARIZE_SPACE_IDenvironment variable. Inreferences/ax-profiles.md, it directs the agent to append export commands to these files. Modifying shell profiles is a high-severity concern as it is a common persistence mechanism used to maintain access across sessions.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its workflow involves reading and processing untrusted data from the user's project files (such aspackage.json,pyproject.toml, and source code imports) to inform its instrumentation logic. A malicious project could use these files to influence the agent's behavior.\n - Ingestion points: The agent reads dependency manifests and source files to detect the application stack and used frameworks.\n
- Boundary markers: No specific boundary markers or instructions to ignore embedded instructions are used when ingesting project data.\n
- Capability inventory: The skill allows package installation (
pip,npm,yarn), writing instrumentation modules to the filesystem, and modifying shell profiles.\n - Sanitization: There is no evidence of sanitization, validation, or strict schema enforcement for the data read from the local project files.
Recommendations
- AI detected serious security threats
Audit Metadata