deepagents-setup-configuration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability surface. The templates configure agents with 'FilesystemMiddleware' which provides 'read_file', 'write_file', and 'edit_file' capabilities.
- Ingestion points: Untrusted data enters the agent context through 'read_file' (reading arbitrary files) and 'search_documentation' (tool output).
- Boundary markers: None. The provided system prompts do not include delimiters or instructions to ignore embedded commands in the data being processed.
- Capability inventory: The agent possesses high-privilege tools including 'write_file', 'edit_file', and 'task' (subagent delegation).
- Sanitization: There is no sanitization or path validation for the filesystem operations, allowing a potential attacker to influence the agent into overwriting or corrupting local files if it reads a malicious document.
- [REMOTE_CODE_EXECUTION] (MEDIUM): Dynamic code execution via 'eval()'. The 'calculate' tool in 'assets/examples/basic-deep-agent/agent.py' uses the Python 'eval()' function on strings produced by the LLM. While a character whitelist ('0123456789+-*/()., ') is used as a mitigation, executing evaluated strings derived from user-influenced prompts is a risky pattern that can lead to unexpected execution contexts.
Recommendations
- AI detected serious security threats
Audit Metadata