google-adk-typescript
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the use of MCPToolset.fromServer in references/tools.md, which executes local commands to start Model Context Protocol servers. Evidence: Documentation demonstrates using npx to launch filesystem tools.
- [EXTERNAL_DOWNLOADS]: The skill includes patterns for loading tool definitions from remote sources. Evidence: references/tools.md provides examples for OpenAPIToolset.fromUrl and MCPToolset.fromSSE to fetch specifications at runtime.
- [REMOTE_CODE_EXECUTION]: The skill references a built-in tool for sandboxed code execution and demonstrates dynamic generation of tool logic from OpenAPI specifications. Evidence: references/tools.md explicitly mentions the CODE_EXECUTION tool.
- [PROMPT_INJECTION]: The framework's use of state-based instruction templating (e.g., {state_key}) creates an inherent surface for indirect prompt injection. Evidence: (1) Ingestion points: Untrusted data entering via session state interpolation and remote OpenAPI/MCP tool loading. (2) Boundary markers: The production checklist in references/deployment.md recommends input validation and sanitization. (3) Capability inventory: Support for subprocess execution, network operations, and sandboxed code execution. (4) Sanitization: Identified as a best practice in the deployment guidelines, though not implemented in the basic code snippets.
Audit Metadata