stable-baselines3
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill templates for training and evaluation ingest data from Gymnasium environments and external model files, creating a surface for indirect instructions to influence agent behavior.\n
- Ingestion points: Environment observations in 'scripts/custom_env_template.py' and model/stat loading in 'scripts/evaluate_agent.py'.\n
- Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent ignores embedded commands within observation data.\n
- Capability inventory: The skill allows file system writing ('model.save') and potential code execution via deserialization.\n
- Sanitization: Absent. No filtering of environment data or model contents is performed before processing.\n- Dynamic Execution (LOW): The scripts 'scripts/evaluate_agent.py' and 'scripts/train_rl_agent.py' utilize 'VecNormalize.load()', which relies on the Python 'pickle' module for deserialization. This is a known vector for arbitrary code execution if a user is prompted to load a malicious '.pkl' file. The severity is reduced to LOW as this is a standard and expected feature for RL model persistence in the Stable Baselines3 ecosystem.
Audit Metadata