outlines
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted input text to generate structured data, creating an attack surface for indirect prompt injection. Ingestion points: External data enters the agent context via the strings passed to the
generator()function acrossSKILL.mdandreferences/examples.md. Boundary markers: The provided prompts use standard delimiters (e.g., 'Text: ... Product:') to separate input data from instructions, but they do not contain explicit 'ignore embedded instructions' warnings. Capability inventory: The skill's scripts focus exclusively on text generation; no subprocess calls, file system writes, or network operations are performed on the model's output within the provided examples. Sanitization: The skill leverages Pydantic for strict schema validation, ensuring generated outputs conform to expected types and structures, which acts as a primary defense against malformed or malicious data extraction. - [REMOTE_CODE_EXECUTION]: Documentation in
references/backends.mdmentions thetrust_remote_code=Trueconfiguration for vLLM and Transformers backends. This is a standard feature for loading specific model architectures but represents a security risk if used to load models from untrusted or unverified repositories, as it allows execution of arbitrary Python code bundled with the model.
Audit Metadata