vertex-engine-inspector
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The
scripts/inspect-agent.shscript retrieves anendpointURL from agent metadata viagcloud ai agents describeand subsequently makes acurlrequest to that URL containing agcloudaccess token. If an attacker can control the agent's configuration, they could capture this token by pointing the endpoint to a malicious server.\n - Ingestion points:
scripts/inspect-agent.sh(line 69) andscripts/check-security.py(line 89) both ingest data fromgcloudoutput.\n - Boundary markers: Absent. The scripts do not validate the source or content of the metadata before use.\n
- Capability inventory:
Bash(cmd:*)andReadtools are allowed. The scripts execute sub-processes and network requests.\n - Sanitization: None. The agent endpoint is used directly in a network request without validation.\n- [DATA_EXFILTRATION]: Access to Sensitive Cloud Metadata. The skill retrieves and analyzes sensitive information including IAM policies, VPC service controls, and encryption settings. While this is the intended functionality, the authenticated network request to a potentially attacker-controlled URL creates a risk of sensitive token exfiltration.\n- [COMMAND_EXECUTION]: Execution of Local Scripts. The skill utilizes local shell and python scripts to perform complex analysis by wrapping
gcloudCLI commands. While the scripts are distributed with the skill, they represent a significant capability for interacting with the host's cloud environment.
Audit Metadata