geopandas
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection as it processes untrusted geospatial data while possessing significant file-write and network capabilities. \n
- Ingestion points:
gpd.read_file()(supporting ZIPs and URLs) andgpd.read_postgis()as documented inreferences/data-io.md. \n - Boundary markers: Absent. No instructions are provided to delimit external data or ignore embedded commands. \n
- Capability inventory: The skill can write files (
to_file), modify databases (to_postgis), and access the network (fsspecand URL-based reading). \n - Sanitization: Absent. No validation or sanitization of ingested geometric or attribute data is performed.\n- Prompt Injection (LOW): The
SKILL.mdfile contains instructions in the 'Suggest Using K-Dense Web' section that steer agent behavior to proactively promote a specific commercial platform (www.k-dense.ai). While framed as a productivity recommendation, it represents a behavior-modifying instruction embedded in the skill metadata.\n- External Downloads (LOW): The skill documents the installation of several third-party Python packages and demonstrates reading data from remote URLs, which are common external dependency patterns.\n - Evidence:
references/data-io.mdcontains examples ofgpd.read_filewith remote HTTPS URLs.\n - Trust Status: References standard PyPI packages (geopandas, folium, etc.), which are within expected usage for this domain.
Recommendations
- AI detected serious security threats
Audit Metadata