python-sdk
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): In 'references/tool-builder.md', the example code for a 'calculate' tool uses the Python 'eval()' function on arguments generated by the AI agent ('eval(call.args["expression"])'). This pattern allows for arbitrary code execution on the host machine if the agent's logic is influenced by prompt injection.
- [COMMAND_EXECUTION] (HIGH): The 'Code Execution Pattern' in 'references/agent-patterns.md' demonstrates enabling a built-in capability for the agent to write and run arbitrary Python code ('internal_tools().code_execution(True)'). This provides a direct path to system-level command execution.
- [PROMPT_INJECTION] (HIGH): The skill describes an 'Indirect Prompt Injection' surface (Category 8) by showing agents that ingest untrusted data (e.g., via a 'search' tool or 'researcher' sub-agent) and subsequently pass that data to high-privilege tools like the 'eval'-based calculator or the 'code_execution' environment.
- Ingestion points: External content from web search and research tools in 'references/agent-patterns.md'.
- Boundary markers: Absent in all prompt templates.
- Capability inventory: eval(), internal code execution, and file deletion tool ('delete_file').
- Sanitization: None present; the examples directly process or evaluate the agent's interpretation of external data.
- [DATA_EXFILTRATION] (MEDIUM): The 'webhook_tool' implementation in 'references/tool-builder.md' allows agents to send data to arbitrary HTTP endpoints, which can be exploited for exfiltrating sensitive data accessed via the file system or other tools.
Recommendations
- AI detected serious security threats
Audit Metadata