authoring-dags
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: LOW
Full Analysis
- [PROMPT_INJECTION] (SAFE): The skill uses strong directives like 'FORBIDDEN' and 'CRITICAL WARNING'. In this context, these are defensive constraints designed to prevent the agent from using brittle or dangerous shell commands, rather than attempts to bypass AI safety guardrails.
- [DATA_EXPOSURE & EXFILTRATION] (SAFE): The skill handles Airflow metadata such as connections and variables. It correctly utilizes structured MCP tools for these operations and includes a 'Best Practices' guide that explicitly forbids hard-coding credentials, advising the use of Airflow's native secret management instead.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill has an inherent attack surface because it reads and processes existing user code (DAG files and requirements.txt) and possesses the capability to write new executable code and trigger its execution.
- Ingestion points: Phase 1 (Discovery) involves reading existing Python DAG files and requirements files.
- Boundary markers: None specified for the reading of external code.
- Capability inventory: The skill can create new files (Phase 3) and execute code via the
trigger_dag_and_waitMCP tool (Phase 5). - Sanitization: Not present; however, the skill mandates using structured MCP tools for validation (
list_import_errors) which provides a safer feedback loop than manual shell inspection. - [COMMAND_EXECUTION] (SAFE): The skill explicitly prohibits the use of CLI commands (
astro,airflow,bash) and redirects the agent to specific, purpose-built MCP tools, which is a 'Least Privilege' security best practice.
Audit Metadata