adk-agent-builder
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill requests
Bash(cmd:*)permissions inSKILL.mdto perform project scaffolding (e.g., creating directories and files) and deployment tasks (e.g.,adk deploy). This level of access grants unrestricted shell execution capabilities on the host system, which could be exploited to run arbitrary malicious code if the agent is compromised. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it demonstrates patterns where agents ingest untrusted content from external sources (e.g.,
LinkedInScraperToolandWebScraperToolinreferences/SKILL.full.md) and process that content within an LLM reasoning loop. - Ingestion points: Untrusted data enters via web scraping tools mentioned in
references/SKILL.full.md. - Boundary markers: The example reasoning prompts do not implement delimiters or instructions to ignore embedded commands in the scraped data.
- Capability inventory: The agent possesses significant capabilities, including
Bash(cmd:*)andWritetool access, enabling high-impact actions if an injection occurs. - Sanitization: No input sanitization or validation is demonstrated for the data retrieved from external tools before it is sent to the LLM.
- [EXTERNAL_DOWNLOADS]: The documentation in
references/SKILL.full.mdinstructs users to install several external Python packages and a vendor-specific plugin (/plugin install jeremy-google-adk@jeremylongshore). While these are functional requirements for the skill, they represent an expanded attack surface through external dependencies.
Audit Metadata