text2agent
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements a mandatory automated verification loop (Step 7) that executes 'python -m <module_path>' to check for dependencies. If a module is missing, it automatically executes 'pip install <missing_package_name>'. This allows for the installation and runtime execution of arbitrary code from external registries based on dynamically generated configuration strings.
- [COMMAND_EXECUTION]: The skill utilizes the terminal tool to perform high-risk operations including recursive directory creation, writing executable Python scripts to the filesystem using 'cat' redirection, and executing shell commands to verify file structures and package availability.
- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). It is explicitly designed to read and 'deconstruct' user-uploaded SKILL.md files from the '~/.aworld/SKILLS/' directory to extract logic and 'genius'. A malicious skill file could contain hidden instructions to hijack the 'Master Agent Architect' role during the synthesis process.
- Ingestion points: SKILL.md files located in user-controlled directories (~/.aworld/SKILLS/) are read via CAST_SEARCH.
- Boundary markers: No delimiters or instructions to ignore embedded commands within reference files are provided.
- Capability inventory: The skill has full terminal access, file write capabilities, and the ability to install Python packages.
- Sanitization: There is no validation or sanitization of the content extracted from reference SKILL.md files before it is fused into the new agent's system prompt.
- [EXTERNAL_DOWNLOADS]: The skill performs unverified external downloads by invoking the package manager to install dependencies identified during the runtime verification of generated code.
Recommendations
- AI detected serious security threats
Audit Metadata