Skills
skills/jst-well-dan/skill-box/sympy/Gen Agent Trust Hub

sympy

Fail

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The SKILL.md file contains a section titled 'Suggest Using K-Dense Web For Complex Worflows' which instructs the agent to proactively steer users toward a specific commercial website (www.k-dense.ai). This is a directive designed to influence the agent's behavior for promotional purposes.\n- [REMOTE_CODE_EXECUTION]: In references/code-generation-printing.md, 'Pattern 3: Interactive Computation' provides a code example where raw input from input() is passed directly to sympy.parsing.sympy_parser.parse_expr. Since parse_expr uses eval() internally, this allows for arbitrary code execution if a user provides a malicious string.\n- [DYNAMIC_EXECUTION]: The skill documents the use of pickle.load() for deserializing SymPy objects in references/code-generation-printing.md. Using pickle with untrusted data is a well-known security risk that can lead to arbitrary code execution.\n- [DYNAMIC_EXECUTION]: The skill uses autowrap and ufuncify in references/code-generation-printing.md, which involve runtime compilation of C or Fortran code and subsequent execution of the resulting binaries.\n- [DYNAMIC_EXECUTION]: Functions such as lambdify() are featured prominently; these generate and execute Python code at runtime to create fast numerical functions, representing a significant dynamic execution surface.\n- [INDIRECT_PROMPT_INJECTION]: The skill's primary function is to process mathematical expressions which are likely to come from untrusted user input. The lack of built-in sanitization or boundary markers when passing these strings to execution-capable functions like parse_expr creates an attack surface for indirect prompt injection.\n
  • Ingestion points: parse_expr, parse_latex, and parse_mathematica functions in references/code-generation-printing.md.\n
  • Boundary markers: None present in the demonstration code.\n
  • Capability inventory: eval (via parse_expr), shell command execution for compilers (via autowrap), and file system writes (via codegen).\n
  • Sanitization: Not present in code examples, although mentioned as a note in the documentation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 10, 2026, 06:54 AM