dag-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection through the ingestion of external research papers in phases/phase0-theory.md. There are no boundary markers or sanitization processes for node labels or claims extracted from these papers. Maliciously crafted papers could influence the agent to generate harmful scripts or bypass its instructions. Ingestion points: External PDF/text papers in Phase 0. Boundary markers: Absent. Capability inventory: System command execution via mmdc (Phase 3), Rscript (Phase 4), and uv run (Phase 5). Sanitization: None.
- [Command Execution] (HIGH): The skill renders diagrams by executing shell commands. Since parts of these commands are generated from untrusted inputs, it presents a risk of command injection.
- [Dynamic Execution] (MEDIUM): The skill writes and then executes Python and R scripts (dag_py.py, dag_r.R) at runtime. Populating these scripts with unvalidated external data creates a risk of code injection within the script's runtime environment.
- [External Downloads] (LOW): Phase 5 performs runtime package installation using uv run. While these packages (networkx, matplotlib) are from trusted repositories, dynamic installation is an external dependency risk.
Recommendations
- AI detected serious security threats
Audit Metadata