Skills
skills/skillssh/skills/python-sdk/Gen Agent Trust Hub

python-sdk

Warn

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The documentation in references/tool-builder.md includes code examples that utilize the eval() function to process tool arguments (e.g., eval(call.args['expression'])). This is a dangerous practice as it allows an LLM to execute arbitrary Python code on the host machine if the agent is misled or compromised.
  • [REMOTE_CODE_EXECUTION]: The skill documents and provides examples for enabling built-in code execution capabilities for agents via internal_tools().code_execution(True). While this is an intended feature of the SDK, it grants the agent the ability to execute code in the user's environment, which requires strict sandboxing and human oversight.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the inferencesh package from the public PyPI registry. Users should ensure they are installing the official package from the intended vendor.
  • [DATA_EXFILTRATION]: The skill provides examples of webhook_tool usage which can send data to external URLs. While presented for legitimate purposes like Slack notifications, this capability could be misused to exfiltrate sensitive information if an agent is successfully targeted by a prompt injection.
  • [PROMPT_INJECTION]: As an SDK for building agents that ingest external data (files, web search results, and tool outputs), the skill is subject to indirect prompt injection. The documentation suggests require_approval() as a mitigation, but does not provide examples of input sanitization or strict boundary markers for untrusted content. Evidence found in:
  • Ingestion points: agent.send_message (accepts files/text) and web_search tool documented in SKILL.md and references/agent-patterns.md.
  • Boundary markers: None explicitly shown for data interpolation, though require_approval() is provided as a structural pattern.
  • Capability inventory: code_execution, webhook_tool, and file system access (e.g., delete_file example) across multiple reference files.
  • Sanitization: No input validation or escaping patterns are demonstrated in the provided code snippets.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 16, 2026, 07:30 PM