agent-frameworks
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
calculatefunction inSKILL.mdand theCalculatorToolinscripts/simple_agent.pyuse theeval()function to process user-provided strings. While intended for mathematical expressions,eval()is a high-risk function that can lead to arbitrary code execution if the input is not perfectly sanitized. - [DATA_EXFILTRATION]: The
api_calltool inSKILL.mdallows the agent to make HTTP GET requests to arbitrary endpoints provided as strings. This pattern can be exploited for Server-Side Request Forgery (SSRF) or to exfiltrate data if an attacker influences the endpoint URL. - [REMOTE_CODE_EXECUTION]: The framework provides patterns for dynamic tool execution. Although the
code_executortool inassets/agent_config.yamlis disabled by default, the inclusion ofeval()-based tools provides a functional equivalent for code execution. - [PROMPT_INJECTION]: As a framework for building agents that process external data (e.g., web search results), the skill is inherently susceptible to indirect prompt injection.
- Ingestion points: Data enters the agent via search tool results and API responses processed in
SKILL.mdandscripts/simple_agent.py. - Boundary markers: The implementation code in
scripts/simple_agent.pylacks explicit boundary markers or instructions to the LLM to ignore embedded instructions in tool outputs. - Capability inventory: The agent has the capability to execute code via
evaland perform network operations via therequestslibrary. - Sanitization: While the documentation mentions
safe_tool_filter, the provided scripts do not implement robust sanitization of external content before it is re-interpolated into the agent's prompt.
Audit Metadata