marimo
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFE
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill documents the installation of the "marimo" library and its SQL extras via pip. It also describes features for loading LaTeX macros from remote URLs and querying data files from remote sources such as S3 or HTTPS.
- [DYNAMIC_EXECUTION]: Documentation for "mo.persistent_cache" describes the use of "pickle" for serializing and deserializing data to disk to maintain state across sessions.
- [DATA_EXPOSURE_AND_EXFILTRATION]: Several APIs are documented that allow interaction with the local file system ("mo.ui.file_browser", "mo.watch") or access to HTTP request metadata such as headers and cookies ("mo.app_meta().request"). These are standard features for creating interactive data applications.
- [INDIRECT_PROMPT_INJECTION]: The skill documents an environment that processes untrusted data.
- Ingestion points: UI components (inputs.md), SQL queries (sql.md), and HTTP request data (app.md).
- Boundary markers: The documentation recommends using "mo.iframe" to isolate potentially unsafe HTML content (html.md).
- Capability inventory: Includes file system access ("mo.ui.file_browser"), database querying ("mo.sql"), and state management ("mo.state").
- Sanitization: The reference material explicitly advises using "html.escape" for user-provided content to prevent script injection (html.md).
Audit Metadata