tushare-plugin-builder
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing a suite of Python scripts (e.g.,
run_plugin_test.py,generate_create_table_sql.py,verify_mcp_tool.py) to perform its core functions, including database management and service verification. - [REMOTE_CODE_EXECUTION]: The files
scripts/run_plugin_test.pyandscripts/validate_plugin.pyuse dynamic importing (importlib.import_module) to load and run code from theplugins/directory. Since the plugin name is derived from user input or external documentation, this could be leveraged to execute unauthorized code if malicious files are staged on the filesystem. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of external Tushare documentation. Malicious instructions in the documentation could trick the agent into generating backdoored code or performing unintended system operations.
- Ingestion points:
SKILL.md(parsing of user-provided Tushare URLs or document text). - Boundary markers: The skill lacks explicit boundary markers or safety instructions to prevent the agent from following commands embedded in the external data.
- Capability inventory: Includes file system write access, shell command execution, and direct ClickHouse database interaction.
- Sanitization: No sanitization logic is present for the content extracted from external sources before it is used to generate code.
- [COMMAND_EXECUTION]: The script
generate_create_table_sql.pyconstructs and executes SQL statements dynamically based on a JSON schema. This represents a risk of SQL injection if the schema originates from an untrusted or manipulated source.
Audit Metadata