exploring-data
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is vulnerable to Python code injection in
scripts/analyze.sh. The script uses a shell heredoc (<< PYEOF) to generate Python code and directly interpolates the$DATAFILEenvironment variable into a Python string literal:filepath = Path("$DATAFILE"). Because the heredoc delimiter is unquoted, the shell expands variables before passing them to Python. A maliciously crafted filename containing a double quote (e.g.,\");import os;os.system('id');#) would break out of the string literal and execute arbitrary Python code. \n- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data from multiple file formats (.csv, .xlsx, .json, .parquet, .tsv) and processes them using theydata-profilinglibrary. The resulting statistics and alerts are then summarized for the AI agent without content-level sanitization or the use of boundary markers to distinguish data from instructions. Mandatory Evidence: (1) Ingestion points:scripts/analyze.sh(reading user-provided files). (2) Boundary markers: Absent. (3) Capability inventory: Subprocess calls via shell and Python, file writing to output directory. (4) Sanitization: Absent; uses standardpandasandydata-profilingloaders. \n- [EXTERNAL_DOWNLOADS] (SAFE): The skill installs necessary dependencies (ydata-profiling,setuptools) from PyPI using theuvpackage manager. This is a standard and acceptable practice using a trusted registry.
Recommendations
- AI detected serious security threats
Audit Metadata