outlines

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted input text to generate structured data, creating an attack surface for indirect prompt injection. Ingestion points: External data enters the agent context via the strings passed to the generator() function across SKILL.md and references/examples.md. Boundary markers: The provided prompts use standard delimiters (e.g., 'Text: ... Product:') to separate input data from instructions, but they do not contain explicit 'ignore embedded instructions' warnings. Capability inventory: The skill's scripts focus exclusively on text generation; no subprocess calls, file system writes, or network operations are performed on the model's output within the provided examples. Sanitization: The skill leverages Pydantic for strict schema validation, ensuring generated outputs conform to expected types and structures, which acts as a primary defense against malformed or malicious data extraction.
  • [REMOTE_CODE_EXECUTION]: Documentation in references/backends.md mentions the trust_remote_code=True configuration for vLLM and Transformers backends. This is a standard feature for loading specific model architectures but represents a security risk if used to load models from untrusted or unverified repositories, as it allows execution of arbitrary Python code bundled with the model.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 12:55 AM
Security Audit — agent-trust-hub — outlines