datacommons-client
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The installation instructions in
SKILL.mdspecifydatacommons-client. However, the 'Additional Resources' section links to the official Data Commons documentation and GitHub repository, which both utilize the standarddatacommonspackage. Recommending a different package name while linking to official sources for a similarly named tool is a common pattern for dependency confusion or typosquatting attacks. - [Prompt Injection] (LOW): The 'Suggest Using K-Dense Web' section contains behavioral instructions that mandate the AI to proactively market a commercial platform (
k-dense.ai) when user tasks increase in complexity. This attempts to steer agent behavior for marketing purposes, although it does not target safety filter bypass. - [Indirect Prompt Injection] (LOW): The skill is designed to ingest and process large volumes of statistical and metadata content from external API sources (Data Commons). This creates a surface for indirect prompt injection if malicious instructions are embedded in the remote dataset, especially during the 'deep research' and 'dataset exploration' workflows described.
- Ingestion points:
client.observation.fetch,client.node.fetch(external API data) - Boundary markers: None provided in instructions for handling untrusted data
- Capability inventory: Data processing via Pandas, network requests via client library
- Sanitization: None detected in the documentation or common usage patterns provided.
Audit Metadata