Skills
skills/lebsral/dspy-programming-not-prompting-lms-skills/ai-taking-actions/Gen Agent Trust Hub

ai-taking-actions

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (MEDIUM): The skill provides examples using dspy.PythonInterpreter({}).execute(expression) in SKILL.md and examples.md. This allows for the execution of arbitrary Python code string passed to the interpreter. In the context of an autonomous agent, this 'expression' is generated by the LLM, creating a direct path for Remote Code Execution (RCE) if the agent's instructions are subverted.
  • EXTERNAL_DOWNLOADS (LOW): SKILL.md instructs users to install external packages using pip install langchain-community. This is a standard dependency management practice but involves fetching code from a public registry.
  • DATA_EXFILTRATION (LOW): The examples.md file contains network operations to external services, including a hardcoded IP address 20.102.90.50 (ColBERTv2 server) and wttr.in. While these appear to be for demonstration purposes, they represent unauthorized network egress to non-whitelisted domains.
  • PROMPT_INJECTION (LOW): Category 8: Indirect Prompt Injection surface identified.
  • Ingestion points: User input is accepted via the question parameter in agent(question=...) calls in both SKILL.md and examples.md.
  • Boundary markers: None. No delimiters or instructions are provided to the model to treat user input as untrusted data.
  • Capability inventory: The skill possesses powerful capabilities including dspy.PythonInterpreter.execute() (code execution), requests.get() (network access), and dspy.ColBERTv2 (remote database retrieval).
  • Sanitization: Absent. No logic is present to validate or sanitize the expression before it is passed to the Python interpreter.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:34 PM