skill-test

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The framework's core purpose is to execute code blocks extracted from AI agent responses. In src/skill_test/grp/executor.py, the execute_python_block function attempts to verify imports by calling __import__ on package names found in the code. This causes the top-level code of those packages to execute in the local environment during what is meant to be a validation step.
  • [COMMAND_EXECUTION]: Multiple scripts (e.g., scripts/run_app_eval.py, scripts/add_example.py, src/skill_test/trace/source.py) utilize subprocess.run to call system commands and the Databricks CLI. This functionality provides a path for arbitrary command execution if the framework is used with malicious instructions.
  • [DATA_EXFILTRATION]: The skill manages sensitive credentials including Databricks API keys and Anthropic tokens. In src/skill_test/agent/executor.py, these secrets are read from environment variables or configuration files and passed to subprocesses running agent sessions and MCP servers. Improper handling or exposure of these configuration files could lead to credential harvesting.
  • [PROMPT_INJECTION]: The skill has a large surface for indirect prompt injection (Category 8). It ingests untrusted data from other skills' SKILL.md and ground_truth.yaml files and uses this data to generate and execute code.
  • Ingestion points: src/skill_test/dataset.py (YAML loading) and src/skill_test/cli/commands.py (SKILL.md parsing).
  • Boundary markers: The framework does not implement isolation or sanitization when interpolating external content into prompts or preparing code for execution.
  • Capabilities: It has powerful capabilities (local/remote execution, filesystem access) that can be triggered by processing maliciously crafted skill definitions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 11:42 AM
Security Audit — agent-trust-hub — skill-test