pydantic-ai
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The documentation describes a framework that ingests untrusted data from multiple sources (user input, web search results, MCP servers) and provides agents with significant capabilities (code execution, file system access, tool delegation).
- Ingestion points: Untrusted data enters the agent context via
agent.run()prompts,WebSearchToolresults,MCPServerTooloutputs, and multimodal inputs (URLs for images/audio/video). - Boundary markers: The documentation focuses on system prompts and structured outputs, but does not consistently mandate the use of delimiters or 'ignore' instructions when processing external tool outputs.
- Capability inventory: The framework supports high-risk capabilities including
CodeExecutionTool(available in OpenAI/Google/Anthropic),FileSystemToolset(mentioned inagents.md), and network access via multiple search tools. - Sanitization: While the framework provides
args_validatorfor tool inputs and Pydantic validation for outputs, these do not inherently prevent the LLM from following malicious instructions embedded in processed text data.
Audit Metadata