testing-dags
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill consumes untrusted external data (DAG logs, run details, and analysis results) and uses this information to determine how to 'fix' and re-execute code. * Ingestion points: Data enters through get_dag_run_detail, analyse_dag_latest_run, and go_to_dag_log_view. * Capability inventory: The agent is instructed to 'Apply fixes' (code/file modification) and use trigger_dag_run (execution). * Boundary markers: There are no delimiters or instructions to ignore embedded commands within the logs or analysis data. * Sanitization: No sanitization or validation of the 'fixes' derived from log data is present.
- [Command Execution] (HIGH): The skill explicitly directs the agent to execute code via trigger_dag_run and perform system modifications ('Apply fixes'). This provides a direct path for malicious instructions found in external logs to be translated into system-level actions without human oversight.
Recommendations
- AI detected serious security threats
Audit Metadata