skill-test
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The framework's core purpose is to execute code blocks extracted from AI agent responses. In
src/skill_test/grp/executor.py, theexecute_python_blockfunction attempts to verify imports by calling__import__on package names found in the code. This causes the top-level code of those packages to execute in the local environment during what is meant to be a validation step. - [COMMAND_EXECUTION]: Multiple scripts (e.g.,
scripts/run_app_eval.py,scripts/add_example.py,src/skill_test/trace/source.py) utilizesubprocess.runto call system commands and the Databricks CLI. This functionality provides a path for arbitrary command execution if the framework is used with malicious instructions. - [DATA_EXFILTRATION]: The skill manages sensitive credentials including Databricks API keys and Anthropic tokens. In
src/skill_test/agent/executor.py, these secrets are read from environment variables or configuration files and passed to subprocesses running agent sessions and MCP servers. Improper handling or exposure of these configuration files could lead to credential harvesting. - [PROMPT_INJECTION]: The skill has a large surface for indirect prompt injection (Category 8). It ingests untrusted data from other skills'
SKILL.mdandground_truth.yamlfiles and uses this data to generate and execute code. - Ingestion points:
src/skill_test/dataset.py(YAML loading) andsrc/skill_test/cli/commands.py(SKILL.md parsing). - Boundary markers: The framework does not implement isolation or sanitization when interpolating external content into prompts or preparing code for execution.
- Capabilities: It has powerful capabilities (local/remote execution, filesystem access) that can be triggered by processing maliciously crafted skill definitions.
Audit Metadata