Skills
skills/lingzhi227/claude-research-skills/figure-generation/Gen Agent Trust Hub

figure-generation

Fail

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's core workflow involves executing a Python script (figure_script.py) that is dynamically generated by the LLM at runtime. This script is executed in the local environment using the command python figure_script.py, which can perform any action the user running the agent is authorized to do.
  • [REMOTE_CODE_EXECUTION]: The system prompts in references/figure-prompts.md explicitly instruct the LLM that it is a "super capable code generation LLM" and that it "can use any python library you want." This creates a vector for the LLM (or an attacker via injection) to include code that downloads and executes malicious payloads or installs unauthorized third-party packages.
  • [PROMPT_INJECTION]: The skill is highly susceptible to direct and indirect prompt injection. The user-provided figure description ($0) is interpolated directly into several prompt templates (e.g., Phase 1 and Phase 2) using simple bracketed placeholders. A malicious query could override the intended behavior to generate scripts for data exfiltration or system modification instead of plotting.
  • [DATA_EXFILTRATION]: While the skill's intended purpose is figure generation, the ability to generate and execute arbitrary code provides a direct path for exfiltration. If the LLM is subverted, it can access sensitive files (such as those potentially provided in $1) and send them to external servers using network libraries like requests or urllib.
  • [INDIRECT_PROMPT_INJECTION]: The skill has a significant indirect injection surface:
  • Ingestion points: The figure description ($0) and the contents of the data file ($1), which are processed during the query expansion and code generation phases.
  • Boundary markers: The prompts use triple quotes (""") as delimiters for user input, which are insufficient to prevent injection in code-generation contexts.
  • Capability inventory: The skill possesses the capability to write files, execute subprocesses, and potentially access the network.
  • Sanitization: There is no evidence of sanitization, validation, or escaping of the user-provided query or data file content before they are used to influence code generation.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 21, 2026, 07:28 AM