flowerpower
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM):
scripts/init_project.pyinstalls theflowerpowerpackage usingpipwithout verifying the source or integrity, which is a concern for unverifiable dependencies. - COMMAND_EXECUTION (MEDIUM): Multiple scripts (
create_pipeline.py,init_project.py,run_pipeline.py) usesubprocess.runto execute theflowerpowerCLI. While using list-based arguments, these operations still permit system-level interactions based on agent-generated paths. - REMOTE_CODE_EXECUTION (HIGH): The framework's architecture depends on dynamic code loading. It imports modules via
additional_modulesand executes callback functions specified by name in the configuration (e.g.,on_success,on_failure). This creates a direct path for execution of arbitrary code provided in YAML configs. - PROMPT_INJECTION (HIGH): The skill exhibits a large surface for indirect prompt injection. In
run_pipeline.py, the--inputsand--run-configarguments accept JSON/YAML that the agent processes into the execution environment. Lack of sanitization allows malicious instructions to influence the Hamilton DAG or trigger dangerous function calls. - DATA_EXFILTRATION (MEDIUM): Configuration settings like
api_urlinproject.ymlfor trackers (e.g., Hamilton tracker, MLflow) could be redirected to attacker-controlled endpoints to leak data processed within pipelines.
Recommendations
- AI detected serious security threats
Audit Metadata