deepagents
Fail
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
deepagentspackage and several LangChain-related dependencies from public registries viapipanduv. It also references theuvinstaller fromastral.sh.\n- [REMOTE_CODE_EXECUTION]: Thescripts/setup.shfile includes a command to download and execute a script fromhttps://astral.sh/uv/install.shby piping it directly to the shell (curl | sh). While the source is a well-known service, this pattern remains a high-risk execution vector.\n- [COMMAND_EXECUTION]: The skill exposes a powerfulexecutetool that allows the AI agent to run arbitrary shell commands on the host system. Additionally, thescripts/setup.shscript executes local shell commands to validate the Python environment and install packages.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It possesses a significant attack surface by combining data ingestion tools with high-privilege capabilities:\n - Ingestion points: The agent reads external data using
read_file,ls,glob, andgrep(found inSKILL.md).\n - Boundary markers: There are no explicit instructions or delimiters provided to help the agent distinguish between system instructions and untrusted content from files.\n
- Capability inventory: The agent has access to
execute,write_file, andedit_filetools (found inSKILL.mdandreferences/deepagents-api.md).\n - Sanitization: No sanitization or validation logic is defined for the content read from the filesystem before it is processed by the model. Maliciously crafted files could contain instructions that trigger unauthorized shell commands or file modifications.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata