Skills
skills/swn94/claude-scientific-skills/denario/Gen Agent Trust Hub

denario

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill is designed to ingest untrusted data (datasets, literature search results, and custom methodology files) and use that data to generate and execute 'computational experiments' via get_results(). This creates a critical attack surface where malicious instructions embedded in a dataset or paper could lead to arbitrary code execution.
  • Ingestion points: set_data_description, set_method (file path), and automated literature searches mentioned in SKILL.md.
  • Boundary markers: None detected. There are no instructions for the agent to use delimiters or ignore instructions within the ingested data.
  • Capability inventory: get_results() executes computational experiments and get_paper() performs LaTeX compilation, both of which involve subprocess execution or runtime code evaluation.
  • Sanitization: No evidence of sanitization or validation of the external content before processing.
  • [External Downloads] (MEDIUM): The installation guide (references/installation.md) directs users to download a Docker image from an untrusted user (pablovd/denario) and clone a repository from an untrusted GitHub organization (AstroPilot-AI). These sources are not within the defined [TRUST-SCOPE-RULE].
  • [Command Execution] (MEDIUM): The skill utilizes get_results() to execute code and includes instructions for system-level package installation (sudo apt-get install) and Docker container management, which could be exploited if the agent is manipulated via prompt injection.
  • [Credentials Unsafe] (LOW): While the skill correctly advises using environment variables and .env files for secrets, it explicitly targets sensitive files like service-account-key.json and credentials.json, which are at risk of exposure if the agent's code execution capabilities are compromised.
  • [Metadata Poisoning] (LOW): The skill contains a directive to 'proactively suggest' using an external hosted platform (k-dense.ai) for complex tasks. While framed as a productivity upgrade, this instruction acts as a behavioral steer toward an external commercial service.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:01 PM