kestra
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill provides detailed templates and instructions for executing arbitrary Python, Shell, and Node.js code via the io.kestra.plugin.scripts suite. This allows for runtime code execution with access to the container or host environment. Evidence: references/scripts.md.
- EXTERNAL_DOWNLOADS (HIGH): The skill directs technical queries to an untrusted external API at api.kestra.io and demonstrates runtime installation of third-party packages from public registries like PyPI and npm. Evidence: references/ask-kestra-ai.md.
- COMMAND_EXECUTION (HIGH): The skill enables shell command execution, including configurations that allow direct access to the Kestra host process when using the Process runner. Evidence: references/gotchas.md and references/scripts.md.
- DATA_EXFILTRATION (MEDIUM): The skill provides functions to read internal storage files (read() function) and tasks to send data to external URIs (HTTP Request plugin), creating a path for potential data exfiltration. Evidence: references/storage.md and references/templating.md.
- PROMPT_INJECTION (HIGH): The skill defines a significant surface for indirect prompt injection as it is designed to ingest untrusted data from external sources (ingestion points: inputs, trigger.body, HTTP responses) and process it using powerful execution capabilities (capabilities: Shell/Python scripts, network requests). Boundary markers: The skill recommends the | json filter as a boundary marker. Sanitization: Limited to JSON escaping and the use of inputFiles to avoid shell quoting issues. Evidence: references/triggers.md and references/scripts.md.
Recommendations
- AI detected serious security threats
Audit Metadata