python
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection through the processing of untrusted local or remote code repositories.
- Ingestion points:
scripts/check_quality.pyandscripts/autofix.pytake atarget_directoryas an argument and process all files within that tree. - Boundary markers: No delimiters or safety instructions are provided to the underlying tools to prevent the execution of instructions embedded in the source code or comments.
- Capability inventory: The skill invokes
pytestviasubprocess.runincheck_quality.py. By design,pytestexecutes any Python code found in test files (e.g.,test_*.py). This allows an attacker to execute arbitrary code on the host system if the agent runs quality checks on a malicious repository. - Sanitization: There is no validation or sanitization of the code content before execution.
- Command Execution (MEDIUM): The scripts
autofix.pyandcheck_quality.pyprogrammatically execute several CLI tools (ruff,mypy,pytest,bandit) viasubprocess.run. While they avoidshell=True, they allow execution of system commands based on user-provided path inputs. - Dynamic Execution (MEDIUM): The inclusion of
pytestin the core workflow involves the dynamic execution of Python scripts. While standard for development, it constitutes a runtime execution risk when the source of the tests is untrusted.
Recommendations
- AI detected serious security threats
Audit Metadata