explore-run

Warn

Audited by Gen Agent Trust Hub on May 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/write_outputs.py dynamically loads and executes a Python module from a path computed at runtime.
  • Evidence: module_path = Path(__file__).resolve().parents[3] / "shared" / "scripts" / "write_explore_bundle.py" followed by the use of importlib.util to execute the module.
  • Context: The script attempts to load a utility from a parent directory (../../../shared/scripts/), which allows for execution of code not contained within the skill's own files.
  • [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection via external configuration files.
  • Ingestion points: The scripts/plan_variants.py script reads and parses a JSON specification file provided via the --spec-json argument.
  • Boundary markers: Absent. There are no explicit delimiters or instructions provided to the agent to treat the contents of the JSON as untrusted data.
  • Capability inventory: The skill has the capability to execute Python code (as seen in scripts/write_outputs.py) and perform complex file system operations.
  • Sanitization: While the script performs basic type validation (e.g., safe_float), it lacks semantic validation to prevent malicious instructions embedded in string fields from influencing agent behavior during experiment planning.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 29, 2026, 07:59 PM
Security Audit — agent-trust-hub — explore-run