python-sdk
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Documentation examples in references/tool-builder.md and references/agent-patterns.md demonstrate the use of eval() to handle tool calls, specifically within a calculator tool example (e.g., eval(call.args['expression'])). This pattern is highly insecure as it facilitates arbitrary code execution if the input expression is generated by an LLM or provided by a user without rigorous sanitization.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection through its data ingestion capabilities.
- Ingestion points: Remote URLs for fetching skill content (defined in SKILL.md), results from the web_search internal tool, and data extracted from file attachments (e.g., OCR or image analysis results).
- Boundary markers: The documentation does not demonstrate the use of delimiters or specific instructions to the agent to disregard instructions embedded within these external data sources.
- Capability inventory: The SDK provides powerful capabilities including file system manipulation (open, os.unlink), network requests (requests, aiohttp), and tool execution via the tool builder API.
- Sanitization: No sanitization or validation logic is presented for content retrieved from external URLs or files before it is passed to the core AI models.
- [EXTERNAL_DOWNLOADS]: The skill documentation directs users to install the inferencesh package from PyPI and includes examples for fetching remote resources via URLs and interacting with external APIs through webhook tools.
Audit Metadata