windmill
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The README explicitly lists default administrative credentials (
admin@windmill.dev/changeme) for accessing the application UI. - EXTERNAL_DOWNLOADS (MEDIUM): The quick start guide instructs users to install the
windmill-clipackage globally vianpm, which involves downloading and executing code from an external registry without cryptographic verification. - COMMAND_EXECUTION (MEDIUM): The skill's primary function is the orchestration and execution of arbitrary scripts (Python, TypeScript, Bash, Go). Documentation demonstrates using these scripts to perform network operations and system-level tasks.
- DATA_EXFILTRATION (MEDIUM): Code snippets illustrate how to retrieve sensitive credentials (API keys, Postgres DB strings) from a central resource manager and use them in external network requests via
curlandrequests. - PROMPT_INJECTION (LOW): The skill facilitates Indirect Prompt Injection (Category 8) by ingesting untrusted data from APIs and user parameters into execution modules without visible sanitization.
- Ingestion points: Untrusted data enters through the
api_urlparameter in Python scripts and theinputstring in TypeScript modules. - Boundary markers: There are no delimiters or 'ignore' instructions present to prevent the execution of instructions embedded within the processed data.
- Capability inventory: The scripts have access to network tools (
curl,requests), resource management secrets (wmill.get_resource), and general shell execution. - Sanitization: No input validation, escaping, or schema enforcement is shown in the examples.
Recommendations
- AI detected serious security threats
Audit Metadata