crewai-multi-agent
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's documentation guides users to install several external packages, including 'crewai', 'crewai-tools', and specific extensions like 'selenium' or 'firecrawl'. These are recognized packages within the AI development community.
- [COMMAND_EXECUTION]: Example code for a custom 'CalculatorTool' demonstrates the use of Python's 'eval()' function. Although the example includes a character-based safety check to prevent execution of non-mathematical strings, the use of 'eval()' is generally considered a high-risk practice as it can potentially lead to arbitrary code execution if the sanitization is bypassed.
- [PROMPT_INJECTION]: The framework is designed to ingest and process data from untrusted external sources using tools like 'ScrapeWebsiteTool', 'PDFSearchTool', and 'GithubSearchTool'. This architectural design creates a surface for indirect prompt injection attacks.
- Ingestion points: Data enters the agent's context through web scraping, PDF parsing, and repository searches (as documented in 'SKILL.md' and 'references/tools.md').
- Boundary markers: The documentation advises using clear task descriptions and expected output formats, which can help mitigate but not entirely prevent injection issues.
- Capability inventory: The skill framework enables high-impact capabilities such as code execution ('CodeInterpreterTool'), file system modification ('FileWriterTool'), and database interactions ('PostgreSQLTool').
- Sanitization: While some examples show basic input validation (e.g., character filtering), the framework does not inherently enforce strict sanitization on all processed external content.
Audit Metadata