denario
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill directs users to install a package
denariofrom PyPI and pull a Docker imagepablovd/denario:latestfrom Docker Hub. Neither the GitHub repositoryAstroPilot-AI/Denarionor the Docker authorpablovdare on the trusted source list. Installation of unverified packages can lead to supply chain attacks. - REMOTE_CODE_EXECUTION (LOW): In
references/llm_configuration.md, the skill suggests installing the Google Cloud SDK using the patterncurl https://sdk.cloud.google.com | bash. Whilegoogle.comis a trusted source per [TRUST-SCOPE-RULE], this remains a risky execution pattern for external scripts. - COMMAND_EXECUTION (MEDIUM): The core workflow includes
den.get_results(), which is documented as executing computational experiments based on provided data and methodologies. This indicates the skill likely generates and runs code dynamically, which can be dangerous if the input methodologies (Category 8) are malicious. - Indirect Prompt Injection (LOW): The skill possesses a significant attack surface for indirect prompt injection.
- Ingestion points:
set_data_description,set_method(loads markdown files), andset_results(loads markdown files). - Boundary markers: No specific delimiters or safety warnings for the agent to ignore instructions embedded in research data or methodology files are documented.
- Capability inventory: The skill has the capability to execute code (computational analysis), generate LaTeX files, and interact with external LLM APIs.
- Sanitization: No evidence of sanitization or validation of the input methodology files before they are processed by the multi-agent system.
Audit Metadata