crewai-multi-agent
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Usage of the
eval()function inCalculatorToolexamples found inSKILL.mdandreferences/tools.md. The implementation inSKILL.mdlacks any input validation, while the version inreferences/tools.mduses a superficialisalpha()check that is insufficient to prevent all forms of malicious code execution. - [COMMAND_EXECUTION]: Documentation includes a
CodeInterpreterToolfor executing Python code. While described as sandboxed, it provides a high-privilege capability for agents to run arbitrary scripts. - [DATA_EXFILTRATION]: The skill documents several tools for file system and database interaction, including
FileReadTool,FileWriterTool,DirectoryReadTool,MySQLSearchTool, andPostgreSQLTool. These tools allow agents to read and modify local files or query remote databases. - [EXTERNAL_DOWNLOADS]: Extensive support for web scraping and remote data retrieval via tools like
ScrapeWebsiteTool,SeleniumScrapingTool, andFirecrawlScrapeWebsiteTool. These tools enable the agent to fetch and process content from arbitrary external URLs. - [INDIRECT_PROMPT_INJECTION]: The skill possesses a significant attack surface for indirect prompt injection due to its ability to ingest data from untrusted sources (web, PDF, CSV, etc.).
- Ingestion points:
ScrapeWebsiteTool,PDFSearchTool,FileReadTool,YoutubeVideoSearchTool(documented inreferences/tools.md). - Boundary markers: Absent; examples show direct interpolation of variables into task descriptions without delimiters.
- Capability inventory:
CodeInterpreterTool,FileWriterTool,MySQLSearchTool(documented inreferences/tools.md). - Sanitization: No mention of input sanitization or filtering for ingested content before it is processed by agents.
Audit Metadata