token-efficient
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The tool 'execute_code' provides a surface for arbitrary execution of Python, Node.js, and Bash code. The provided documentation (references/examples.md) explicitly shows the ability to run complex shell scripts and install external packages.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core functionality. * Ingestion points: Files processed via 'process_csv', 'process_logs', and 'batch_process_csv'. * Boundary markers: None; there are no instructions or delimiters provided to help the agent distinguish between data and instructions within the processed files. * Capability inventory: Full arbitrary code execution via 'execute_code', which can be triggered by instructions found within the untrusted files. * Sanitization: No sanitization or validation logic is present for file contents or the 'filter_expr' parameters.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Documentation encourages the use of 'pip install' at runtime within the sandbox environment to fetch dependencies. This can be used to download and execute malicious code from external repositories if the agent is misled by injected data.
- [COMMAND_EXECUTION] (MEDIUM): Helper scripts in the 'scripts/' directory execute shell commands like 'grep', 'wc', and 'du' on user-provided file paths, which could lead to command injection if the underlying MCP tools do not strictly validate the 'file_path' inputs.
Recommendations
- AI detected serious security threats
Audit Metadata