Evals
Warn
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Graders/CodeBased/StaticAnalysis.ts and Graders/CodeBased/BinaryTests.ts execute arbitrary shell commands defined in Task configuration YAML files (e.g., using Bun's shell). While appropriate for a testing framework, this represents a potential risk if configuration files are tampered with.
- [REMOTE_CODE_EXECUTION]: Tools/ScenarioRunner.ts uses dynamic import() to load and execute TypeScript scenario modules based on user-supplied file paths from the command line. This allows for arbitrary code execution within the framework context.
- [PROMPT_INJECTION]: The skill ingests untrusted agent outputs and conversation transcripts in Graders/ModelBased/LLMRubric.ts and Graders/ModelBased/NaturalLanguageAssert.ts, creating a surface for indirect prompt injection.
- Ingestion points: Agent outputs are ingested via GraderContext.output and full transcripts are captured in Tools/TranscriptCapture.ts.
- Boundary markers: Evaluation prompts use Markdown headers (e.g., '## Output to Evaluate') as delimiters for untrusted content.
- Capability inventory: The skill has high-privilege capabilities including shell command execution and dynamic module loading.
- Sanitization: There is no evidence of sanitization or escaping of ingested transcripts before they are interpolated into LLM judge prompts.
- [EXTERNAL_DOWNLOADS]: The skill utilizes several well-known and standard dependencies in its package.json, such as @ai-sdk/anthropic, ai, and @langwatch/scenario, which are considered safe sources.
Audit Metadata