Skills
skills/k-dense-ai/scientific-agent-skills/modal/Gen Agent Trust Hub

modal

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its web scraping and OCR examples in references/examples.md. These patterns allow an attacker to embed malicious instructions in web pages or images that are then processed and included in the agent's context.
  • Ingestion points: The scrape_url function (line 91) fetches arbitrary web content via httpx, and the ocr_page function (line 160) extracts text from images via pytesseract.
  • Boundary markers: There are no boundary markers or instructions to delimiters used when the extracted text is returned to the agent.
  • Capability inventory: The skill has access to sensitive capabilities including network requests (httpx), file system writes (modal.Volume), and subprocess execution (subprocess.run in references/gpu.md).
  • Sanitization: There is no evidence of sanitization, filtering, or validation performed on the ingested external data before it is presented to the agent.
  • [COMMAND_EXECUTION]: The skill facilitates remote and local command execution as part of its core functionality. This includes using the Modal CLI for modal run, modal deploy, and modal volume operations. Additionally, the skill's build system (.run_commands()) and GPU training examples (subprocess.run) allow for arbitrary shell command execution in both local and remote environments.
  • [EXTERNAL_DOWNLOADS]: The skill installs the modal Python package and dependencies via uv or pip. It also facilitates the download of container images from registries and model weights from external sources like Hugging Face (e.g., snapshot_download in references/images.md) during the image build process.
  • [DATA_EXFILTRATION]: The skill manages highly sensitive credentials, specifically MODAL_TOKEN_ID and MODAL_TOKEN_SECRET, as well as general application secrets via modal.Secret. The ability to transfer data between the local machine and cloud volumes (modal volume put/get) creates a pathway for potential data exfiltration if the agent is manipulated into moving sensitive files.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 10:13 PM