python-sdk
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The SDK supports arbitrary code execution through its internal tools configuration (
internal_tools().code_execution(True)) and the permittedBash(python *)tool. Reference documentation also includes examples of using theeval()function for tool logic, which can be dangerous if arguments are not strictly validated. - [DATA_EXFILTRATION]: The
webhook_toolfeature allows agents to send data to external HTTP endpoints. While intended for integrations, it provides a channel for data transfer to third-party services. - [PROMPT_INJECTION]: The skill facilitates building agents that process external data, creating an attack surface for indirect prompt injection.
- Ingestion points: Agents ingest data from uploaded files (SKILL.md) and external search results (references/agent-patterns.md).
- Boundary markers: Documented examples do not show explicit delimiters or instructions to ignore embedded commands in ingested data.
- Capability inventory: Built agents possess significant capabilities including code execution, network requests via webhooks, and potential filesystem access.
- Sanitization: The SDK includes a
require_approval()mechanism to enable human-in-the-loop confirmation, which is the primary recommended mitigation for sensitive tool executions.
Audit Metadata