testing-dags
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill uses
uvx --from astro-airflow-mcp@latest afto execute commands. This pattern downloads and runs code from a remote source at runtime. The sourceastro-airflow-mcpis not from a trusted organization or repository listed in the security protocols, making it a target for supply chain attacks. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Task logs are ingested via the
af tasks logscommand. - Boundary markers: None specified; there are no instructions to isolate or treat log data as untrusted.
- Capability inventory: The skill explicitly directs the agent to "Fix and Retest" (modify code) based on these logs.
- Sanitization: None. A malicious task could output logs designed to trick the agent into injecting backdoors or malicious logic during the suggested fix phase.
- [CREDENTIALS_UNSAFE] (HIGH): The skill provides the command
af config connections, which is used to list and potentially view Airflow connection details. These often contain sensitive credentials, including passwords and API tokens, leading to credential exposure. - [DATA_EXFILTRATION] (MEDIUM): In addition to credentials,
af config variablesallows access to potentially sensitive environment configurations that could be exfiltrated if the agent is manipulated into outputting the results. - [COMMAND_EXECUTION] (MEDIUM): The use of shell-based commands with variables like
<dag_id>and--confpresents a risk of command injection if inputs are not strictly validated by the underlying agent or theaftool itself.
Recommendations
- AI detected serious security threats
Audit Metadata