speculative-decoding
Fail
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires cloning source code from external GitHub repositories (
FasterDecoding/Medusaandhao-ai-lab/LookaheadDecoding) that are not associated with trusted organizations or well-known services defined in the security guidelines.\n- [REMOTE_CODE_EXECUTION]: The installation instructions for the Medusa and Lookahead Decoding tools involve runningpip install -e .on the cloned repositories. This is a high-risk operation as it executes thesetup.pyorpyproject.tomlfiles from these untrusted external sources, allowing for arbitrary code execution on the user's system during the installation process.\n- [COMMAND_EXECUTION]: The documentation provides multiple shell commands (git clone,pip install,cd) for setting up the environment. These commands are intended to be executed in a shell environment, which can be exploited if the source repositories are compromised.\n- [PROMPT_INJECTION]: The skill established a surface for indirect prompt injection by processing external data as LLM prompts.\n - Ingestion points: Untrusted user input enters the agent context via the
promptvariable in the code snippets provided inSKILL.md.\n - Boundary markers: There are no delimiters or 'ignore embedded instructions' warnings used when interpolating the
promptvariable into the model generation calls.\n - Capability inventory: The skill environment (as described in the installation steps) includes the capability to execute shell commands and install packages, which could be abused if an injected prompt misleads the agent.\n
- Sanitization: The provided Python code lacks any validation or filtering of the content within the
promptvariable before it is processed by the model.
Recommendations
- AI detected serious security threats
Audit Metadata