math
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The instructions in SKILL.md direct the agent to use the Bash tool to run Python scripts (sympy_compute.py, z3_solve.py, pint_compute.py) with user-supplied strings as arguments. The documentation shows input being placed directly within shell commands (e.g., uv run python "..." ). An attacker can use shell metacharacters like semicolons, pipes, or backticks to execute arbitrary code.
- [REMOTE_CODE_EXECUTION] (HIGH): The shell injection vulnerability provides a path for arbitrary code execution on the host system where the agent is running.
- [PROMPT_INJECTION] (HIGH): The math_router.py tool processes natural language requests to determine tool routing. Mandatory Evidence Chain: 1. Ingestion points: natural language requests (SKILL.md); 2. Boundary markers: Absent; 3. Capability inventory: Bash, Read, and Write tools allowing subprocess execution; 4. Sanitization: Absent. This creates a high-risk surface for indirect prompt injection to manipulate agent logic and tool usage.
Recommendations
- AI detected serious security threats
Audit Metadata