deepagent
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (CRITICAL): Section 3 provides a calculate tool example using eval(expression) on agent-provided input. This is a classic vulnerability that allows for arbitrary code execution within the environment.
- Indirect Prompt Injection (HIGH): The skill defines patterns for Code Assistant and Research agents that ingest untrusted content from web searches, URLs, and local files (Ingestion points: read_url, web_search, read_file). These agents are granted dangerous capabilities (Capability inventory: eval, run_python, write_file, service_action). No boundary markers or sanitization are present, allowing attacker-controlled data to hijack these operations.
- Command Execution (HIGH): The integration with sysadmin_tool introduces capabilities like service_action and tail_log. When combined with potential prompt injection, this allows an attacker to disrupt system services or access sensitive logs.
- Data Exfiltration (MEDIUM): The fetch_data tool uses the requests library to send data to arbitrary URLs. When used alongside file-reading tools, this creates a path for exfiltrating sensitive local data to external endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata