patterns
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill demonstrates patterns that are vulnerable to Indirect Prompt Injection. Untrusted data is interpolated directly into LLM prompts without adequate sanitization or robust boundary markers.
- Ingestion points:
current_textandinstructionvariables inagent-handler-validation-with-state.md;codedata inrun-batch-tasks.md. - Boundary markers: Minimal use of basic labels (e.g., 'Instruction:') which can be easily bypassed by adversarial content in the input strings.
- Capability inventory: The agents described are capable of tool emission and, in some patterns, full shell access via MCP servers.
- Sanitization: No evidence of input validation, escaping, or instruction-aware filtering of interpolated data.
- [COMMAND_EXECUTION] (LOW): The pattern for 'MCP Tools Integration' in
mcp-tool-integration.mdexplicitly describes how to enable theBashtool from external servers like Claude Code. This grants the LLM the capability to execute arbitrary shell commands on the host system. While this is a documented feature of the framework, it represents a high-risk capability tier that requires strict environment isolation. - [EXTERNAL_DOWNLOADS] (SAFE): The skill references standard Python libraries (
langroid,fastmcp,pydantic) and established external tools (Claude Code). No suspicious or unknown third-party dependencies were detected.
Audit Metadata