explore-run
Warn
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/write_outputs.pydynamically loads and executes a Python module from a path computed at runtime. - Evidence:
module_path = Path(__file__).resolve().parents[3] / "shared" / "scripts" / "write_explore_bundle.py"followed by the use ofimportlib.utilto execute the module. - Context: The script attempts to load a utility from a parent directory (
../../../shared/scripts/), which allows for execution of code not contained within the skill's own files. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection via external configuration files.
- Ingestion points: The
scripts/plan_variants.pyscript reads and parses a JSON specification file provided via the--spec-jsonargument. - Boundary markers: Absent. There are no explicit delimiters or instructions provided to the agent to treat the contents of the JSON as untrusted data.
- Capability inventory: The skill has the capability to execute Python code (as seen in
scripts/write_outputs.py) and perform complex file system operations. - Sanitization: While the script performs basic type validation (e.g.,
safe_float), it lacks semantic validation to prevent malicious instructions embedded in string fields from influencing agent behavior during experiment planning.
Audit Metadata