phoenix-cli
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use
npx @arizeai/phoenix-clito download and run the Phoenix CLI. This is a standard deployment method for the official tool provided by the vendor. - [COMMAND_EXECUTION]: The skill documentation provides extensive shell command examples for managing LLM traces, spans, and profiles. These include piped operations with
jqfor data processing and shellwhileloops for bulk annotation of traces. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by directing the agent to process and analyze untrusted trace data.
- Ingestion points: The agent fetches raw LLM inputs, outputs, and retrieved context from external sources using
px trace getandpx span listas described inSKILL.mdand the open-coding workflow. - Boundary markers: No delimiters or safety instructions are defined to help the agent distinguish between trace data and instructions.
- Capability inventory: The agent has the capability to execute shell commands and modify remote data (via
annotateandadd-notecommands) based on its analysis of the untrusted trace content. - Sanitization: The instructions do not provide any mechanisms for sanitizing or validating trace content before it is processed by the agent.
Audit Metadata