crewai-developer
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture documents the ingestion of untrusted external data via
ScrapeWebsiteToolandSerperDevToolas shown inSKILL.md. This represents an indirect prompt injection surface where malicious content from external websites could influence agent behavior. The guide does not provide examples of boundary markers or sanitization logic to isolate this untrusted content. Agents described inreferences/advanced_patterns.mdpossess significant capabilities, including file system access and command execution viaMCPTool, increasing the potential impact of successful injection. - [REMOTE_CODE_EXECUTION]: A persistence pattern described in
references/advanced_patterns.mddemonstrates the use of thepicklemodule for saving and loading workflow states. The documentation showspickle.load()being used to restore state fromworkflow_state.pkl, which is an unsafe operation if the file originates from or can be modified by an untrusted source, as it allows for arbitrary code execution. - [COMMAND_EXECUTION]: The skill provides integration examples for
MCPToolinreferences/advanced_patterns.md, which enables agents to execute external shell commands (e.g., usingnpxto launch MCP servers). This functionality provides agents with a mechanism to run arbitrary code or binaries within the execution environment.
Audit Metadata