denario
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to download and install software from third-party sources not associated with the author 'K-Dense-AI' or listed trusted vendors. This includes the GitHub repository 'github.com/AstroPilot-AI/Denario.git' and the Docker image 'pablovd/denario:latest'.
- [COMMAND_EXECUTION]: The 'get_results()' method dynamically generates and executes Python code based on agent reasoning to perform scientific calculations and data visualizations. This execution happens in the user's environment or container.
- [CREDENTIALS_UNSAFE]: The system requires configuration of highly sensitive 'OPENAI_API_KEY' and 'GOOGLE_APPLICATION_CREDENTIALS' (Service Account JSON files). While standard for LLM agents, these represent a significant security surface for credential theft if the skill or its dependencies are compromised.
- [REMOTE_CODE_EXECUTION]: Installation steps involving 'git clone' and 'docker pull' from unverified external accounts constitute a remote code execution risk during the setup and deployment phase.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection via the datasets it processes. Ingestion points: 'set_data_description' and 'set_method' (SKILL.md). Boundary markers: Documentation does not specify delimiters or instructions to ignore embedded commands. Capability inventory: Full Python execution via 'get_results' and file system access (references/research_pipeline.md). Sanitization: No evidence of input validation for user-provided data sources.
Audit Metadata